The importance of penetration testing, or (pen testing), has noticeably increased in recent years due to a number of reasons.
As the general public grows more educated concerning the risks associated with the hosting of their personal information, public outcry and media scrutiny can severely tarnish a brand in quick fashion. Recently there have been large fines such as the $34 million fine levied on Yahoo in 2018 concerning their data breech four years earlier.1 There are a growing number of security laws, frameworks and compliances have been adapted amongst various industries and jurisdictions that either mandate or recommend pen testing as an inherent part of a company’s cybersecurity plan. With the recent activation of the General Data Protection Regulation (GDPR) in Europe, the provision of covering up or delaying the disclosure of a data breach is ending across the world. Similarly, ignoring the practice of conducting regular high quality pen testing is ending as well.
It is important to note what a pen test is and is not. A pen test is not a vulnerability assessment. It cannot be implemented in automated fashion by an appliance or pre-configured scripts. Its purpose is not to present a list of discovered exploits. The purpose of a pen test is to obtain the services of a highly knowledgeable and experienced IT professional to assume the role of an attacker. That attacker is assigned not only the task of discovering vulnerabilities, but use them to access your sensitive data. A pen test is not just about looking for holes in your network perimeter, but utilizing a broad assortment of attack techniques including social engineering measures and all available tools in the hacker tool belt. A pen test is not just about exposing exploits, it is about evaluating risks to your business.
Why conduct a pen test?
There are many reasons to conduct a pen test. If you deal with cardholder data, then you are required to implement both internal and external pen testing as required by the Payment Card Industry Data Security Standard (PCI DSS). If you are a financial institution operating in the state of New York, you are required to do so by the State Department of Financial Services Cybersecurity Regulations. While HIPAA does not formerly require pen testing, it does call out calls out external and/or internal penetration testing as the recommended method of meeting many of the technical evaluation requirements for medical organizations. Pen testing is also an effective way to assure compliancy with SOX regulations. If your business is anyway tied to the personal data of anyone residing within the European Union, you are required to test the effectiveness of your security controls on a regular basis.
Required pen testing is a growing trend in the digital world today. Ensuring that your company meets required compliance is critical. According to Verizon’s 2017 Payment Security Report (PSR), 100% of breached PCI certified companies failed their PCI compliance audit.2 This is why pen testing is more than ensuring that an auditor can mark the appropriate checkbox. The IT professional who conducts a pen test is a prognosticator, someone who can show you how an attacker would approach your network and compromise your data. In a recent report in which professional hackers involved in pen testing, 88 percent of ethical professional hackers cited the ability to infiltrate an organization and exfiltrate targeted data within 12 hours, while 69 percent reported never getting detected by the security teams assigned the task of stopping them.3 A Pen test isn’t about the theoretical, it is about reality.
Pen testing is about more than checking a box. It is about ensuring that the data of your customers and employees, as well as the integrity of your organization, remain secure. It is an investment with significant potential payoffs as well. Astoundingly, 50 percent of all small businesses will experience some sort of cyberattack and 60 percent SMBs that experience one go out of business within six months of an attack.4 In addition, fines involving data breaches are going up worldwide. The $700,000 dollar fine that Hilton was ordered to pay last year would cost $420,000,000 under GDPR compliance.5
Pen Tests are qualitative operations
Face it, your company is far more worried about veteran hackers or state sponsored attackers than part time novices. Today’s hacker is not someone living in their mom’s basement wearing a hoodie. They are highly organized criminal organizations that operate on a global scale. Often times, these same organizations are behind the attacks we regularly read about on the news everyday.6 These organizations hire the best of the best and are recruited from some of the finest schools in the world. In order to combat the efforts of these elite criminals, you need to acquire the services of an elite security professional. Because hackers often work as a team in order to maximize their combined skill sets, a pen test conducted by a dedicated team is of more value.
The old adage, to catch a thief you must think like a thief, is applicable to pen testing. While pen testing requires an in depth understanding about technology and cybersecurity, it also demands resourcefulness and problem solving. A pen test is not necessarily implementing technology; it is about creatively circumventing security controls. Hackers today utilize a wide assortment of tricks and tools to infiltrate networks today. A pen test today must include a wide variety of software, hardware and social media attack avenues. It is important that a pen test not be littered with false positive that dilute the reliability of the results and can waste the time and efforts of remediation.
An effective Pen Test is an end-to-end process
The process of conducting a pen test doesn’t begin the day of the actual test. It starts with a preliminary meeting in order to define a clear and comprehensive scope of what the pen test will include, making sure that the expectations are clearly defined for all parties. It is imperative that the team conducting the pen test understand your business and network environment. The scope must include all of your high value data assets. The post-test process includes the presentation of a complete summary of the discovered vulnerabilities, as well as the necessary remediation required to secure those attack avenues. The final report entails a risk analysis that should not be a list of generic “catch-all” remediation paraphrases but include customized solutions to address your particular threats. It is also essential that the final report not only be technically oriented, but be formatted to explain the revealed risks in a manner in which business leaders can understand in order to make clear decisions regarding the pen test results.
Must-have capabilities of best in class pen test providers
Data breaches are conducted by formidable adversaries at the top of their game. This means that you need a best of breed caliber pen test provider that can emulate their malicious efforts. Some of the competencies a pen test provider should have include the following.
- Project Management Discipline – a pen test should be treated as a project to ensure that all expectations and conditions are met. This requires the services of a project manager who is experienced with all facets of the project from start to finish. The project manager should have a dedicated team of disciplined professionals to carry out the tasks at hand.
- Industry Standard Methodology – A proprietary pent test methodology is of little value to those who must provide their pen tests for an audit review. A pen testing firm should disclose and utilize industry-standard methodologies to ensure that the test results are repeatable and understood by all parties.
- Continued Communication – A pen test is not implemented by a lone wolf. Communications between the project team your stakeholders and sponsors need to be defined, established and occur regularly in order to relay status updates.
- Risk Analysis – The required expertise of a pen test team goes beyond the actual testing process. The contracted firm must have the capabilities to fully analyze the findings and prioritize the risks in order for you to maximize your efforts to shore up your greatest potential threats.
- Remediation Verification – An elite pen test provider should have the capabilities to assist your organization post assessment. They should have the ability to ability to not only build remediation plans and implement fixes, but also validate those efforts as well to ensure that the corrective actions achieved the intended results.
Ensure you have practiced your duty of care when it comes to your security safeguards. Pen testing helps evaluate your vulnerabilities and areas to refine, maximizing the use of your budget and securing your data and networks.
What separates HALOCK from the rest of the pack is our commitment to quality
At HALOCK, we know that there are many choices when it comes to selecting a pen test provider. We choose to separate ourselves from the rest of the pack by delivering complete professionalism from the definition of the scope to the post remediation process. We are not in the business of delivering a “check the box” security test. We are in the business of designing a customized pen test in order to establish a risk management framework appropriate for your business.
We are about the pursuit of quality throughout all phases of every project. Our reputation centers on the members of our elite team of pen testers.
- All of our pen testers reside in the U.S. and are the best in their field.
- We require all of them to maintain the appropriate certifications related to their testing specialty.
- All of them are seasoned and highly experienced, having performed pen tests for companies of all sizes and industries.
- Our pen testers not only utilize the latest technology methodologies, but also incorporate insights and creativity in order to recreate the realistic and determined efforts of a competent attacker in a controlled safe environment.
Having the best pen testers in the business means little however, if we cannot convey their findings to our customers in a fully comprehensive, yet easily understood manner that educates as well as informs. Our inherent duty to quality is manifested in our deliverables, which we hold as another example of our distinction within the industry because the documentation we provide carries our name and reputation. The quality of our deliverable translates into the following commitments:
- Ensuring that we deliver meaningful, accurate results void of false positives, which is made possible by the validating each finding, pursuing all exploits and confirming what is indeed a risk, and what can safely be ignored.
- Our deliverables include reports, findings, next steps and, most importantly, meaningful remediation proposals that extend far beyond bullet points.
- We don’t just suggest what to remediate, but how, making sure that our customers understand not just the required processes, but also the full picture of how to attain the obligatory level of security and retain it long term.
- Our deliverables, guidance and instruction are designed to not only satisfy an auditor, but also protect the data and integrity of your company long term.
Reliability is everything in the security industry, which is why our clients continue to utilize our professional services year after year. We regularly receive feedback indicating that our test services were far more thorough than a former predecessor was. That is because we never assume your business, and we never want you to assume our results. Our reliability is supported by our quality assurance practices, review and oversight, our utilization of teams rather than individuals. It is these practices and principles that we believe separate us from the pack.
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on information security and conducts pen test services throughout the US.