Poking and prodding your own network defenses helps reveal security gaps, so you can close them — before cyber threat actors discover and exploit them. This is the primary benefit of penetration testing and why it is a key step that a growing number of companies and government organizations now take to mitigate cyber risk.
This cybersecurity process is so important that the U.S. Congress recently introduced H.R.8403 — the Proactive Cyber Initiatives Act of 2022 — to mandate penetration testing for moderate to high-risk government systems, and to require federal agencies to report on proactive cybersecurity methods.
The end-goal of penetration testing (aka, “pen” testing) is to develop a more proactive approach, allowing a “red team” to find gaps before an attacker does. However, there are multiple questions to ask as you approach these engagements.
We’ll examine these important considerations in detail during this two-part blog series.
Some gaps uncovered during penetration tests may be both simple and crucial — such as finding software that has been “end-of-lifed” and is no longer supported by the vendor. Working with our clients, we often discover software that is vulnerable to attacks happening in the wild because it is missing the latest security patch or hotfix.
This type of security oversight is regularly uncovered in a pen test, and it represents a critical finding since it presents hackers with a wider range of potential attack vectors. Think of it like this: Your front door might have a deadbolt, but if that deadbolt is rusty or the faceplate is missing, a thief will have a much easier time getting into your home.
Other findings discovered during a penetration test vary in severity. However, each one potentially gives an attacker all they need — which is a single weakness to exploit.
Does your webpage limit the rate of login attempts? If not, hackers can pummel your site as many times as they wish to find the one security gap they need.
Is Webview Debugging enabled? If so, this could allow a threat actor to obtain sensitive information or take over an affected user’s settings.
Does the application logout invalidate/revoke the session token? If not, a hacker could re-establish the session when the authorized user walks away from the computer after logging off.
These things are not an exhaustive list but rather form the start of what penetration testing can uncover in your environment to help you secure your government agency or organization.
Proactive penetration testing provides the strongest approach to maintaining a secure environment. While this can start at the software layer — say an AI-driven capability to catch malicious files before they execute — it also should include the appropriate people and processes to test, and who is in the best position to remediate any gaps they find in the security posture.
Regular testing will allow your organization to stay ahead of threats. It’s almost guaranteed that once you correct the gaps from one cycle of penetration testing, you’ll find other — and often different — vulnerabilities. The more you test, the more opportunity you’ll have to find and fix those gaps that will otherwise haunt you, should an attacker find them before you do.
Many organizations find that penetration testing is a great place to start and, as the tests become an integrated part of their security program, they often advance to breach simulations. While penetration tests find gaps in the “walls” of your environment, breach simulations go deeper to identify paths that a hacker might use once inside your defenses, to ultimately get to corporate or government agency data. After all, threat actors really want the same thing you do: your data.
Failure to properly pen test your environment leaves you more vulnerable than you need to be, and it can also impact your insurability and cyber insurance coverage. BlackBerry research recently discovered that more than one-third of organizations are denied cyber insurance because they lack security controls that insurers require, like endpoint detection and response (EDR). While EDR solutions such as CylanceOPTICS® from BlackBerry can be critical in the event of an attack, and endpoint protection platform (EPP) products such as CylancePROTECT® can do a great deal to prevent attacks from occurring in the first place, they are not substitutes for a rigorous pen testing program.
Because of mounting ransomware coverage losses, cyber insurance companies are taking a more stringent look at payouts, and adding exclusions to their policies. Some of these exclusions are based on who the threat actor is, and on the actions a company has taken to prepare itself to defend, identify, and contain cyberattacks. Penetration testing, breach simulation, “purple team” testing, tabletop exercises, and periodic assessments of a company’s security program, represent a few of the ways that companies can ensure they get the highest insurance payout if they are attacked, and at the same time, minimize their chances of being attacked successfully in the first place.
Organizations face many challenges that sometimes make penetration testing difficult to execute. Here are six common ones:
In summary, penetration testing greatly improves your security posture by revealing security gaps you can close — before attackers find and exploit them. It is one of the best ways to mitigate the risk of a successful cyberattack against your organization.
In Part 2 of our series, we’ll look at how to approach your red team efforts. This includes looking at what you should test, and how you should test, including understanding the differences between automated pen-testing and human-driven tests.
Richard Harsell is Senior Services Account Manager, Federal, at BlackBerry.