Penetration testing – the million-dollar question

The practice of having a penetration test (pen test) performed on companies is nothing new – in fact, many organisations have pen testing baked into their security strategies, policies and mandatory requirements.

The purpose of having a penetration test conducted is to help businesses find out where they are most likely to face an attack and proactively shore up those weaknesses before a potential exploitation by hackers and cyber criminals.

According to CREST, a UK registered NPO offering technical certifications and accreditations: “Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and/or insiders toidentify attack vectors, vulnerabilities and control weaknesses. It involves the use of a variety of manual techniques supported by automated tools and looks to exploit known vulnerabilities and uses the expertise of the tester to identify specific weaknesses in an organisation’s security arrangements. Penetration testing is often confused with vulnerability assessments.”

Much like vulnerability assessments, the main objective of penetration testing is to identify security weaknesses. The fundamental difference lies within manual (non-automated) identification and exploitation of vulnerabilities. The value proposition of a penetration test is to identify and exploit vulnerabilities that a security vulnerability scan could not, or would not, be able to identify/exploit.

Most vulnerability scanning software solutions consist of a predefined (and regularly updated) known list of checks and vulnerabilities run against a target to highlight risks that match the check criteria. Although this is a fundamental part of the penetration testing process, many threats are not identified purely by scanning. These threats need a penetration tester to manually probe the environment, interpret responses and tailor their attacks – resulting in the identification of threats that would have otherwise been missed.

Unfortunately, many penetration tests marketed and sold to business are nothing more than a vulnerability scan – leaving organisations potentially exposed to unknown threats that were not identified. This also blurs the lines between value propositions and ultimately results in an attractive price point for the organisation, as less effort is required. But at what cost?

So what is the million-dollar question?

Although there is an obvious benefit in identifying and mitigating threats on a regular basis, the million dollar question is, why? Why does the threat exist?

More often than not, you may find that the root cause of the threat existing can be attributed to:

• Patch management – Are patches and security updates applied regularly, consistently and completely;
• Secure development/coding – Are the developers and/or technical staff equipped with the knowledge of how to avoid introducing potential risks;
• Multi-factor authentication – Are you still over-trusting passwords? Is MFA embedded;
• Default configurations – Are default usernames, passwords and ports removed/changed to avoid unnecessary risk exposure; and
• User awareness and training – Are staff regularly trained and made aware of risks, threats and attack vectors, as well as how to avoid falling victim to them.

MD at CyberSec Consultants, Nathan Desfontaines, says: "The benefit of a penetration test for a company is not purely in remediating threats and vulnerabilities, but also in identifying the root cause. The existence of a risk should indirectly inform the relevant policy, process or procedure, as that is either inadequate, not being adhered to, or not documented at all. Either way, there is a control that is not operating effectively.”

Even with the best compensating controls, such as state-of-the-art security technology, cutting-edge tools and monitoring through security incident and event management (SIEM) tools, coupled with security operation centres (SOCs), a root cause analysis should always be considered to determine why a threat (risk) existed at all.

With this in mind, penetration testing can also be used to test an organisation's security policy, its adherence to compliance requirements, its employees' security awareness as well as the organisation's ability to identify and respond to security incidents.

Believe it or not, penetration tests offer more value than purely a compliance check-box or mandatory security requirement.