Cyber threats continually evolve, and hackers often find new vulnerabilities before corporate IT teams do. Unfortunately, this leaves the door open for malicious actors to steal sensitive information or demand a ransom payment to unlock essential systems.
Additionally, the frequency of these attacks and the time and money lost to them shows no signs of slowing down. Ransomware attacks, for one, grew by 41% between 2021 and 2022, according to the 2022 IBM Cost of a Data Breach Report. Meanwhile, the second most common cause of cyberattacks, lost or compromised credentials, continues to be the toughest to spot and contain. It takes, on average, 243 days to spot these breaches and 84 more days to contain them.
Penetration testing, or pen testing, helps companies identify the security gaps that could lead to a breach before hackers can take advantage of them. Then, by simulating different cyber-attacks, they find ways to gain and maintain access to a system by skirting its defenses providing the crucial information companies need to close potentially dangerous loopholes.
However, sprawling IT systems make wide-ranging pen testing costly, leaving IT leaders wondering how they can get the most protection from their security budget. Here are five steps companies can take to find and address critical vulnerabilities in their IT infrastructure without breaking the bank.
1. Identify Data, Systems, and Processes
Before making any moves, organizations must first determine what is most critical to protect. That step is often overlooked or relies solely on known information. A good discovery process should result in known and newly discovered locations and uses of critical data, systems, and processes. Some examples of questions to ask are:
- What kind of data is each system handling? Does it have access to sensitive data?
- How critical is each system to maintaining business continuity?
- What type of interfaces do they have?
- Are they accessible by external parties, internal team members, or both?
Once identified, the security teams can combine the data, systems, and processes into groups to understand the threats and vulnerabilities affecting these areas.
2. Start with a risk assessment
Rather than tasking pen tests to look for vulnerabilities across the entire system, companies can save time and resources by first doing a risk assessment on the groups identified above. A system-wide risk assessment helps companies identify critical and high-value areas that may need more attention, such as vital applications, business processes, and high-value data.
Risk assessments should include both external and internal threats. For instance, understanding where internal team members have access to sensitive data can help focus the targets on testing for social engineering attacks, the most common type of cyberattack that IT professionals see, according to ISACA's State of Cybersecurity 2022 report.
Another common use case is an incomplete off-boarding process that may leave dormant accounts active for exploitation. External vulnerabilities can include the exploitation of open-source intelligence (OSINT), a collection of data on the open (and dark) web accessible to nearly everyone.
Based on these considerations, IT teams can set the scope and objectives for their test and avoid wasting time and resources on security work that won't significantly impact the business. Of course, the more critical the system and the more sensitive the data the more valuable intensive testing will be. It is important to note that conducting a thorough risk assessment is a complex undertaking, requiring a broad knowledge of continually evolving threat vectors, system vulnerabilities, and risk management techniques. Many organizations require additional professional resources to complete a risk assessment properly and thoroughly.
3. Conduct targeted testing on a regular schedule
From attacking firewalls to infiltrating active directories, organizations should regularly conduct several types of pen tests at least once a year, depending on the security needs of each system. In addition, pen testing of critical and sensitive systems should occur more regularly to replicate the most recent cyber-attacks.
The three categories of pen tests organizations should consider are:
- White box: These are generally the most cost-effective pen tests, as organizations provide all necessary information to testers. White box pen tests make locating vulnerabilities easier, saving an organization time and money.
- Black box: These tests are similar to real-world attacks, as testers must start from scratch. Pen testers receive no information about the organization's systems, which means they must spend more time trying to find a way to breach the defenses. While they are more costly, black box tests provide more accurate results.
- Gray box: Testers receive minimal information about the organization's systems, simulating the damage an authenticated internal user could cause. Mimicking an insider attack offers teams valuable security insights more cost-effectively than a black box test, which makes this a popular choice for organizations looking to get more for their money.
In most instances, organizations will start with a network layer penetration test that assesses the security of basic assets and systems. That includes devices, operating systems, and other low-level systems. But pen testing the application layer tends to be more critical and complex. For example, application layer pen testing requires organizations to look at the types of services they receive from vendors, whether they need to use credentials and more.
Organizations should also find ways to test their vulnerability to advanced persistent threats (APTs) designed to evade detection for months. Understanding how these threats operate can help teams implement more sophisticated defenses.
4. Remediate issues
Companies should work with security experts to address vulnerabilities as quickly as possible and establish a process for escalating high-risk findings to make every minute count. IT leaders should also consider the overall results of pen tests in light of the risk assessment conducted earlier. Recall that the goal of the exercise is to reduce the risk to a level commensurate with the asset's value or criticality.
5. Feedback and Training
In addition to the direct risk-reduction benefits from penetration testing, penetration testing results and reports are a valuable snapshot into the effectiveness of current development capabilities and vulnerability management practices. When long standing vulnerabilities are found, or when related vulnerabilities are found inconsistently across devices, this points sporadic and ad hoc processes that may need to be improved. If similar or related vulnerabilities are found across applications, this may point to an opportunity for enhanced training on secure software development. And 85% of IT security professionals agree that pen testing provides them with valuable insights to improve developer and security team training, per research from Cobalt.
Get advice from the experts
While companies can conduct pen testing using internal resources, partnering with external experts can ensure objectivity. Working with someone with little to no knowledge of the systems in question is true to life and promises to deliver more accurate results. In addition, a third party can uncover vulnerabilities internal developers and security professionals have missed.
For more information about how VikingCloud can help protect your systems with professional pen testing, contact us.
References:
Cost
https://www.ibm.com/resources/cost-data-breach-report-2022/
Risk Assessment
https://www.isaca.org/-/media/files/isacadp/project/isaca/resources/white-papers/state-of-cybersecurity-2022_whpsc22_res_eng_0322.pdf
Insights
https://demo.cobalt.io/hubfs/Cobalt%20ROI%20of%20Modern%20Pentest%20Report%202021.pdf