Last year, my colleague Fabrice wrote about the benefits and challenges of penetration testing to businesses’ security. I decided to revisit the subject and provide more insight as a practicing security engineer.
An opportunity to compile a security checklist
Something I hear a lot when talking shop with colleagues and friends is that the companies they work with aren’t ready to undertake a penetration test (‘pentest’ for short). I find this notion puzzling. Why do they think they’re not ready for a pentest?
“Because you’d get in too easily” is a frequent response. I find this amusing because that is an excellent reason to conduct a security assessment. A pentest is not a validation check that one undertakes when one is sure that the attacker can’t get in; it is an exercise that helps a company identify and prioritize security issues that need to be fixed. It helps defenders understand how an attacker would get in, why it is easy to get in, what impact one can expect from an intrusion, and, hopefully, what countermeasures can be put in place to detect and prevent attacks.
I once had the opportunity to run an internal security assessment for a company that had never had one done before. The first day of the engagement, the client apologized for not having a wired connection ready for us and asked us to make ourselves comfortable while we waited. In the meantime, A guest Wi-Fi connection was available for our use, should we wish to check our mail and prep for the engagement. By the time our contact came back to say the wired connection would soon be ready, we had remote access to several internal systems.
It was easy to gain access to this particular client’s infrastructure; does this invalidate the pentest? Not necessarily. During our assessment, we were able to confirm that an attacker could compromise sensitive business information and cause long-term damage to the client’s systems; it’s one thing to suspect your systems are vulnerable, but to have those suspicions confirmed along with identification of an attack path and a realistic timeframe for an attack is an entirely different kettle of fish. More importantly, our assessment provided a prioritized list of what should be fixed along with suggestions on how to remediate. This ‘security checklist’ is in many ways the best thing a pentest can do for you; it provides you with a starting point for building your defenses so that you can make your security investments count.
A chance to test your defenses before they are tested for you
In addition to providing you with a prioritized list of security issues to fix, pentesting can provide valuable insight into how good your defenses are. Let’s say you’ve invested significant resources into building up your security operations center (SOC). How good are you at detecting intrusion attempts? How fast does it take your team to respond? Are you able to determine how many systems were affected by the latest attack? What is the impact of a successful phishing campaign within your organization? These are questions that are practically impossible to answer unless your SOC has had the chance to test its mettle during an attack.
On one occasion, we conducted a two-part security engagement of a client infrastructure: an external pentest followed by an internal assessment. When I came in for the internal part, the client gave me a tour of their security center, which featured several large screens with the latest security alerts. With a grin, he pointed out a series of alerts tagged with a familiar IP address: their systems had correctly detected not only our automated scans but much of our manual probing as well. They’d also had the chance to use our tests to tune their systems so that alerts would flag an attack without uselessly flooding their monitoring tools with redundant information.
The most productive pentests are those that involve communication between the blue team and the red team; by getting your defenders to talk to the attackers, you can see if your defense has any blind spots. It also gives your SOC the chance to test out some of their response processes or tools that they would not have the opportunity to cut their teeth on otherwise.
A way of seeing how prepared your staff is to attacks
Pentesting is not only a good training opportunity for your team; it is also a good means to evaluate the readiness of your most important asset against attacks: your employees. By that, I do not mean your SOC team: I mean non-technical staff and technical staff alike, throughout your organization. When we organize simulations of phishing campaigns, we request the authorization to send email to a representative population of our client’s staff, so as to realistically gauge the chances of a successful attack and estimate its impact. If the risk is significant, we’ll recommend security awareness training and then a follow-up simulation. You would not believe how a mere two hours of security awareness can benefit your company’s security!
The big picture
Penetration testing is a discipline that businesses often approach with a sense of apprehension, feeling that it is a better investment of time and resources to buy security solutions before mandating a pentest. While it makes a certain amount of sense to be prepared before one is conducted, I would contend that a pentest is a great way to evaluate how your assets, infrastructure, and staff can best benefit from strategic investments in security tools and training.