Organisations can't afford to treat penetration testing − or pentesting − as a compliance checkbox exercise any longer.
To properly mitigate fast-changing risk, pentesting needs to be built into infrastructure roadmaps and carried out regularly by multi-skilled, multi-faceted teams.
South African organisations are beginning to take pentesting more seriously, as part of broader risk mitigation. An emerging focus is impact-driven reporting, where organisations are more focused on the potential impacts of a vulnerability than the fact that they have one.
In fact, some vulnerabilities are deemed low risk and left unattended for years, however ill-advised that may be.
Printers, for example, may rank low in terms of priorities, but when they are linked to Active Directory users and store copies of signed contracts, they could be a goldmine of information in the wrong hands.
Companies are typically on one of four levels of maturity in terms of their approach to pentesting. At the lowest level of maturity, they just want their checkbox ticked to meet compliance and regulatory requirements.
Modern pentesters must become serial multi-taskers − understanding how enterprise systems are developed and built, and how they work.
At the next level, they have security controls in place and want to know how well they are protected. At level three, we start moving into teaming exercises, testing not only the technology but also staff reaction time.
At the most advanced level, active teaming exercises take place with unannounced or announced attacks, and SLAs and reaction times are measured. The technology, the personnel and also the response time of the organisation's security or risk officers are measured.
Ideally, pentesting should be carried out regularly, and as part of milestones in a business infrastructure deployment plan. For instance, in a three-year deployment plan, the first year might see e-mail and communication set up, and this should be tested. The following year when the workloads are moved to the cloud, that should be a focal point, and finally, when security investments are made, those controls should be tested.
This approach makes the pentesting object much clearer and much more valuable for the organisation.
After the initial deployment, pentesting should be carried out regularly to find any vulnerabilities that were not detected initially, such as zero days that have become non-zero days. Annual testing is ideal, with full impact assessments and reports on response times and capabilities across all stakeholders.
Multi-faceted expertise
Working with experienced partners and multi-skilled pentesting teams is crucial for achieving full value from pentesting. As the complexity of cyber risk grows, so too does the complexity of the tools and techniques used to combat it.
In the world of penetration testing, this means harnessing more tools, more layers of testing and more creative techniques to bypass more advanced security systems, such as extended detection and response solutions.
To be effective, modern pentesters need to be as creative and devious as cyber criminals themselves. Traditional, textbook style approaches simply don't work anymore, as these are all detected by next-generation security controls.
Modern pentesters must become serial multi-taskers − understanding how enterprise systems are developed and built, and how they work.
Companies need to understand how they all operate to deploy the right testing techniques for them. Organisations no longer have static websites, for example: they have layers and third-party libraries involved.
Pentesters need to stay abreast of progress in technology to understand where they might be vulnerable, and what the impact would be if they were breached.
Ideally, pentesters should have experience both as an attacker and a defender, and be able to apply that in the market. Those who are able to actively participate in incident response will stay abreast of the latest cyber crime exploits and gain a deep understanding of the full kill chain and its impacts. Having access to defensive tools also gives us a 'playground' to see what defensive capabilities can break.
On top of this, pentesters must be endlessly curious and creative; for example, finding prompt workarounds to persuade generative AI to help us break into systems.
Pentesting today requires more creativity in the thought process to bypass advanced security controls. In future, pentesters may even have to learn physics to cope with the demands of a quantum computing era.
To ensure your organisation has the right pentesting partner, look for multi-skilled teams who have incident response and technical experience, with accreditation from an independent international organisation like CREST, which assures they work to the highest standards of quality and reliability.
Share