Watch the news—cybersecurity is the hot topic in the business world today. With all this attention, it’s no surprise that more service providers are adding cybersecurity to their service menu. Offense-oriented services, like penetration testing, can be a cost-effective way to identify vulnerabilities. Executives, senior management, and boards of directors are keen to find their own weaknesses, as they are the ones that will be held accountable in a breach.
With more organizations seeking penetration testing services, security firms see an opportunity to capitalize. Many of these firms have set up their service offerings in this area without the appropriate level of talent, capacity, and capability. It is difficult for a potential client to identify that a penetration test does not pass muster, and it is very easy for firms to make the same bold and reassuring statements that a qualified team can make.
In order to effectively defend against cyber crime, organizations must be proactive and anticipate threats with an offense-oriented approach to cybersecurity. Here are my top 4 pieces of advice when looking for an offense-oriented cybersecurity provider.
- Experience is the Cost of Admission
With the cybersecurity talent shortage expected to grow to over 1.5 million unfilled positions, the industry has seen an increase in individuals interested in adding cyber skills to their resume. Also, as the need for cybersecurity services increases in U.S. enterprises, certifying bodies have responded with several cyber-focused certifications that may be obtained after a training course is attended, often 1-2 weeks of classwork, and a multiple choice exam is passed.
While certifications are a valuable training exercise, modern organizations, and their executives with whom the ultimate cyber resilience responsibility lies, should ensure that their cybersecurity provider has the relevant real-life experience to defend against evolving cyber threats.
Neither lenders, investors, nor underwriters would accept financial statements audited by an accountant whose auditing background was a one-week training course and multiple choice exam, so why would you risk the continuity of your organization on penetration testing performed under the same circumstances?
- Inexperience Can Disrupt Operations
The automated scanning tools widely used in the penetration testing industry are extremely dangerous to sensitive systems. In Rising to the Challenge of Pen Testing ICS, our Director of Cyber Operations Wes McGrew shares some examples from a Sandia National Labs report, that show the severity of incidents that can occur when penetration testing is performed carelessly, or by penetration testers inexperienced in ICS. Some sample incidents from the report include:
- An automated scanning tool caused a 9-foot robotic arm to activate and swing 180 degrees, luckily with no one in striking distance.
- The same tool caused the destruction of $50,000 worth of material on a manufacturing line.
- A penetration test halting a gas pipeline’s operations for four hours.
Organizations engage cybersecurity experts to improve their security posture and improve the overall efficiency and effectiveness of their IT operations. Don’t let your choice of service providers cause an outage that impacts your revenue driving systems.
- Insecure Testing Methodologies Can Introduce Unnecessary Vulnerabilities
On a recent engagement, our team identified a back door on a client’s network that was left open by a previous penetration tester. Unfortunately, this is a common mistake caused by inexperienced penetration testers that rely on widely available tools and training resources. The speed at which many training programs certify new penetration testers leaves no time to ensure secure penetration testing operations is adequately covered—if covered at all.
Penetration testers who employ insecure methods during their engagements are also a jackpot of sensitive data for hackers. Penetration testing is intended to simulate a cyberattack, not enable one.
- Traditional Penetration Testing Ignores 90% of an Organization’s Cyber Risks
Many “penetration test” reports I see are nothing more than a vulnerability scan with few attempts to exploit vulnerabilities identified during the scan. While this type of assessment is better than nothing, clients are often surprised to learn that this exercise will only identify approximately 10% of the vulnerabilities on their network. Automated scans identify vulnerabilities by comparing against databases of publicly known vulnerabilities. The vulnerabilities in the public databases are typically related to mainstream hardware and software, such as Microsoft, Cisco, and Adobe. Most organizations have implemented custom developed, or heavily customized, applications. Vulnerabilities in these applications and misconfigured hardware are typically not identified by automated vulnerability scanning—and these are usually 90% of the vulnerabilities present on a network.
In order to fully assess your IT environment’s vulnerabilities, an advanced penetration test should be performed leveraging a team of highly specialized penetration testers that understand applications, reverse engineering, sensitive infrastructure, secure penetration testing methods, and can connect the dots between the vulnerabilities identified and the related business impact.
For weekly insights into enterprise, please sign up here: