Better Tailored Offensive Assessment
The maturity of an organization’s security program and the number of past assessments should be a critical metric considered when an organization contracts to have any sort of offensive assessment performed. I can’t count the number of times that, when preparing to perform a penetration test, I find that the organization had the exact same assessment at least once before and often for many years running. It is important that this assessment is not being performed simply to “check the box” for compliance. While compliance is an important part of remaining secure, the bar set by most standards is not nearly high enough to truly protect an organization from modern malicious threats. The assessments and the scope should be carefully considered from a risk based and business process standpoint, ensure that this test is going to help improve the security stance of the organization as well as help to meet, (or beat) compliance minimums.
Now it is certainly true that doing the same assessment each year is a lot better than no testing at all. However, if an external pentest is performed against the same systems year after year there is little chance of finding any serious issues that were not previously known. Sure, there may very well be a new vulnerability on those systems, but those types of things are usually found by vulnerability scans. Penetration tests and other in depth offensive assessments are time consuming and generally only performed once or twice a year. This means that once or twice a year most organizations have a limited window of time in which a skilled offensive security professional will dig into any systems or networks they are given authorization to look at. It is the responsibility of the leadership to carefully consider their goals and provide a scope of systems that can help them to achieve their business and security goals.
Expand what you test, expand what you know
Continuing to perform the same actions and expecting that the results will somehow be different is futile. Should these organizations be performing the exact same test year after year? Does it even seem like that will make any significant impact past the first year? The answer to both of these questions is simple and binary: No!!
It is perfectly acceptable to simply add to last years test, check the same systems plus a new subnet or subset of systems. By performing a penetration test once a year, and expanding the scope as the security program matures, in just a few years the security program will be significantly more mature, plus awareness of vulnerabilities and holes in the network will be remarkably improved.
Penetration testing and other offensive assessments, such as Phishing, Social Engineering and Adversary Simulations (Adversary Simulations will be detailed in my next blog in this series) is most effective when specifically tailored for the target organizations maturity. For example, if an organization has never had any offensive assessment performed it would be best for them to start small, with their most critical web-facing systems. After the web-facing infrastructure has been evaluated and remediated another pentest of just those systems (the same scope) will not make any major impact on the security stance of the company.
Use the Hacker at your Disposal
If your organization is considering a penetration test, or has already scheduled one soon, make sure there is a detailed and thorough dialogue between the organization and the tester. Hackers have been attacking systems for a long time, and we know some of the highest risk areas. We can help you determine how to best meet your goals and test the systems that are potentially at the greatest risk.
In all of CynergisTek’s penetration testing offerings there is a need to limit scopes. Money and time are not unlimited. We strive to assist you in finding the greatest value in your offensive assessments. Regardless of the scope or number of IPs that are “included” with your test we would rather look at a larger picture and help you narrow that down from a risk based perspective. We will assess the list and help to identify the systems that we believe are most at risk allowing you to limit the scope as needed without lowering the value that can be gained from the testing performed.