Too many organizations today harbor a laissez-faire attitude towards penetration testing. That’s dangerous. Business and IT leaders can’t afford to think “we aren’t what hackers are looking for” or “we don’t need to spend the money on that now, we are fine.”
4 Common Attitudes Regarding Penetration Testing
Today, cyber breaches can occur at any entry point in your environment – from networks and applications to mobile devices. Over the course of conducting assessments for companies of all sizes, I’ve seen many cases where leaders:
- Fail to understand the depth and breadth of cyber risks facing their organization
- Underestimate the potential impacts to their people, performance and reputations
- Refuse to see value in undertaking the expense associated with cyber risk management
- Resist (and this applies chiefly to IT professionals) or are leery about having their systems validated for security and access control – particularly when the IT assets are Internet-facing
This ideology must change. Cyber attacks are growing more sophisticated. Networks include many more access points – and, correspondingly, many more potential points of vulnerability to infiltration. As a result, both business and IT leaders need to become much more proactive in determining where these vulnerabilities exist and how to mitigate these risks.
Overview of the Penetration Testing Process
Penetration tests begin with Deep Web Reconnaissance (DWR), an integrated risk management process that identifies potential risks related to, for example, domain registration weaknesses, shared infrastructure weaknesses, organization email addresses, previous breaches, dissatisfied customers or activism by a current or former employee. The outcome of this process helps provide the foundation for a “risk matrix” based on the organization’s operational practices. In turn, the risk matrix determines the use of various penetration testing methodologies including vulnerability scanning, social engineering, denial of service, man-in-the-middle, and other standard ethical hacking protocols.
So why is this so important? Penetration tests have become a widely recognized approach for identifying and quantifying cyber-risk. Certified Ethical Hackers (CEHs) actively attempt to ‘exploit’ vulnerabilities that reside in people, process and technology. CEHs then provide guidance around the vulnerability, impact, threat and likelihood of a compromise occurring with IT resources.
Internal and External Penetration Tests
Penetration tests can conventionally be run internally or externally (outside the firewall) from the Internet. While the two testing models are not mutually exclusive, your organization must decide on the appropriate testing model to employ based on its risk tolerance. Organizations with a strong focus on risk management will most frequently conduct testing from both an internal and external perspective.
Prevention Costs Less
The cost, on average, for a single location, single public IP environment, is around $15,000, depending on the complexity of the penetration tests and the abilities of the provider. This is not an inexpensive endeavor. But it’s far less than (1) the cost of repairing and recovering from even a minor attack, (2) the time required to do so, and (3) the risk that the breach will not be discovered for as long as several years. According to Cisco:
- The average cost of a breach increased by 9% from $5.4 million in 2013 to $5.9 million in 2014.
- The average time to resolve a cyber attack increased from 32 days in 2013 to 45 days in 2014.
- One third (33%) of organizations took more than two years to detect the breach.
- Most (55%) were unable to determine the cause of the breach.
As a CEO or COO, what are the key questions you need to ask your team?
- What are the risks and vulnerabilities facing our organization?
- When was the last penetration test conducted by our organization?
- Are we proactive in our mitigation strategy for vulnerabilities?
- What vulnerabilities are left to be addressed?
As a CTO, CIO or Director of Technology, what must you do?
- Establish a “risk profile” to identify potential types of attacks to which the organization might be susceptible.
- Champion and implement a paradigm shift from reactive to proactive vulnerability scanning, a philosophical approach that must be led from the top down.
- Embrace and utilize the penetration test model to justify resources and mitigation strategies on the front end.
- Utilize trusted Certified Ethical Hacker firms to conduct these assessments.
What are your thoughts on this? Care to share your perspective? Post a comment below!