We often get contacted by small businesses requesting their first penetration test because of compliance reasons, or because of “industry best practices,” or just to get an idea of how bad things really are. In many of those cases, their environment isn’t nearly mature enough to make a pentest worthwhile. Sometimes they’re insistent and we work with them to make the test as helpful as we can, but usually that’s like shooting fish in a barrel.
Over the years I’ve found that a better approach is to discuss the motives for getting a pentest, and then explore other options that might be more efficient and effective. While this might cost us a sale, in the long run it’s better for the client, and ultimately makes them a better customer. And let’s be honest, while it’s fun to get Domain Admin access by 10am Monday morning, that usually makes for a pretty boring test. So this article is intended to be a roadmap for those smaller businesses, to guide them towards an improved security posture.
The first step is to get the horse in front of the cart: we need to understand the point of security testing so that we’re not just testing for the sake of the test. Even if the compliance auditors are forcing the engagement, there’s no reason not to get the most bang for your bucks. All tests are designed to determine whether or not the subject is performing as expected. Whether it’s a standardized test in grade school, a drug test, or a penetration test; the ultimate goal is always to determine whether our expectations match reality.
In your business or organization, you’ve spent countless hours and dollars on security controls to protect your assets. The simple goal of any security testing should be to confirm if those controls are successful at lowering risk. If they’re not, then you may need to rethink how you’re allocating those resources. And if the controls are successful, good testing will help you find the limits of those controls and where additional efforts are required.
So, where do we start? If the goal is to assess the success of your controls, then you need to document those controls and outline the threats they are expected to mitigate. It’s also good to brainstorm other potential threats to the organization. Possible threats can include anything that could cost the organization time, money or manpower, as well as anything that could hinder future sales, such as downtime and negative press. It’s important to have a strong understanding of every possible threat so that you can map specific security controls to addressing those threats.
This can often be done internally if you have competent staff, but may benefit from the assistance of a knowledgeable third party. At Secure Ideas we call this a Gap Analysis. The goal of that sort of assessment is to get a very high-level understanding of the controls in place with an eye towards finding gaps in coverage.
Once you have an outline of possible threats, and a list of security controls that are intended to prevent those threats, you can start to look for areas of weakness. There’s really no limit to how simple or sophisticated this testing needs to be. For example, if you have a firewall with a built-in IPS service that’s supposed to block network scanning, then you can perform a network scan with a tool like nmap and see what happens. I gave a talk at ShowMeCon 2018 on how to assess third party MSSPs in this way, but the principles apply to testing your own controls as well. You can view that here: https://www.youtube.com/watch?v=_SF4vw_mVnY
For more advanced organizations, we also perform Architecture Reviews that are a bit more involved than a Gap Analysis. These are interview-based assessments in cooperation with the client’s staff in which we discuss all of the different areas of information security. During an Arch Review, we review any available documentation (policies & procedures, configuration standards, etc) looking for areas that haven’t received a proper amount of focus. The goal of the Arch Review is to get as much detail from as many different employees as possible. This allows us to find those places where the actual work doesn’t always line up with the documented procedures.
Another option is to perform a Vulnerability Assessment. This is often done in conjunction with an Architecture Review. This assessment usually involves the use of an automated scanner on the client’s network. For clients that are already doing regular vulnerability scans, the focus of this type of assessment may lean towards analyzing existing scan data as well as reviewing the scanner configuration. For clients who aren’t performing regular scanning, this assessment can help determine whether the expected procedures such as patching and upgrades are actually being followed.
And finally, for organizations that are fairly confident in their existing controls, the Penetration Test is designed to simulate a real-world attack, to exploit vulnerabilities, and to plunder and pillage sensitive data. There are several different types of penetration tests with focuses on internal or external networks, web applications, mobile applications, wireless, etc. But they all have the same overarching goal: to assess the security of the target systems and demonstrate real-world business risk so that executives can accurately understand the potential costs of an attack.
In my experience, many organizations that come to us for their first penetration test aren’t ready for it. They’re moving down that path, but they’re not at the point of having reasonable confidence in their existing controls. Sometimes they don’t have a choice because of compliance/legal/regulations/etc. But sometimes they do. I always try to open up the discussion to better understand the goals of the testing and what they’re hoping to receive.
In general, my advice is for organizations to review the CIS 20 Controls (https://www.cisecurity.org/controls/). If they can’t put a checkmark beside most of those controls, then we probably need to start further up the chain with something like an Architecture Review. One of the advantages of partnering with a company like Secure Ideas is that we have the experience and flexibility to craft an assessment that meets each unique customer. Regardless of where they are along the path of becoming more secure, we love having the opportunity to make our clients better.
If you’re trying to up your security game, or aren’t sure exactly how to proceed, let us know. You can reach me directly at email@example.com.