Nearly half of U.S. businesses today have fallen victim to a cyber-attack, and a staggering 5.3 million North Carolinians were impacted by a data breach in the last year alone. Costs related to data breaches are skyrocketing, while the perpetrators of these crimes continue to find smarter and savvier ways to damage your brand and business. Enter the penetration test—a simulated cyber-attack designed to test your company’s security controls. There is no single tool as effective as the penetration test in identifying cyber threats to your organization.
Once reserved for very large corporations and government entities, penetration testing is now widely regarded as a highly effective, cost efficient means of identifying the vulnerabilities in your company’s data network. The beauty of the penetration test is that it doesn’t just tell you what’s wrong with your system security, but what’s right, too. This allows your company to be more strategic in the development of new policies, applications, and protocols, leading to a better allocation of resources.
Should your company perform a penetration test? And if so, how often? Before we get to that, let’s take a look at the specifics of penetration testing.
Often referred to as “ethical hacking,” a penetration test is undertaken by elite cybersecurity professionals who, at your direction, attempt to gain access to company assets and controls—digital, physical, organizational, and human. The “hackers” may conduct their assessment onsite, over the Internet, or both. The assessment typically includes a test of company firewalls, servers, wireless networks, workstations, physical locks, and anything else that may impact an organization’s security.
While any company could benefit from a penetration test, for some it is strongly, even urgently, recommended. And for select businesses in the financial services industry, new state and federal regulations actually require penetration testing. In short: if your business deals with any type of sensitive information–banking details, social security numbers for payroll, credit card numbers for payment processing, intellectual property that may be valuable to competitors—you should plan to have a penetration test.
An increasing number of states have enacted legislation detailing data protection responsibilities organizations have to their customers and employees, along with remediation requirements in the event of a breach. Massive costs can be incurred in the event of a breach consisting of fines, legal fees, remediation services (such as purchasing credit monitoring for all affected parties), and negative publicity. A penetration test can help organizations minimize their exposure to the legal consequences associated with data breaches. In the event of an incident, being able to demonstrate due care was taken to implement and test security controls can reduce or eliminate government and/or regulatory fines.
Despite the importance of information security, few organizations have personnel dedicated to this role. Often times, the responsibility lies on the IT or finance department staff, most of whom do not possess the necessary security knowledge to effectively assess cyber threats. Even organizations that do have dedicated security administrators generally do not have the expertise and ability to provide an in-depth and practical assessment of security controls in the same way an outside “hacker” does.
By bringing in a consulting company with zero insider knowledge to perform a penetration test, an organization can receive the most realistic overview of their security posture.
Make sure to select your “hacking” firm after careful consideration of their expertise, certification, and background. Include both legal and technology personnel in the selection committee. When interviewing potential providers, make sure to inquire about the assessment process, scope, and certifications held by team members.
Certifications commonly held by penetration testers include OSCP (Offensive Security Certified Professional), CEH (Certified Ethical Hacker), CISSP (Certified Information Systems Security Professional), and Security+. While all of these certifications are valid and relevant to the security field, only the OSCP certification demonstrates hands-on penetration testing ability, so be wary of any candidate whose team does not include at least one member with this certification (or another hands-on penetration testing certification).
When discussing an assessment with providers, ensure the proposed service truly is a penetration test. Many businesses, especially outsourced IT service providers, will offer a service listed as a penetration test, but in reality, is just a checklist-based risk assessment or a vulnerability assessment conducted with automated software.
The best way to know what you are getting before signing a contract is to request a redacted copy of a previous engagement report. Any reputable vendor will not hesitate to provide a sample of prior work. It is also recommended that the service provider selected only offers assessment services, to maintain confidence that the information given in the assessment is not an attempt to sell future services. In short, make sure you know exactly what services you are receiving before any agreement is signed.
Finally, be ready to invest in additional security solutions following the assessment. No organization is perfectly secure, so you should be prepared to remediate the vulnerabilities uncovered during the assessment. Having knowledge of exposure but failing to act may open your organization up to additional liability in the event of a breach.
Drew Green, CISSP, MCSE
Director of Information Technology & Security Services
Thomas Judy & Tucker
drew@gfsec.net