Why setting and forgetting penetration testing doesn’t cut it
Penetration testing is the cybersecurity world's equivalent of dental check-ups: If not conducted regularly, weaknesses aren't found and bad things can happen. And like dentist visits, pen testing succeeds in preventing problems only when proper maintenance occurs year-round with actions taken to fix any issues a check-up finds.
To expertly manage this ongoing responsibility and ensure pen tests are conducted with fresh eyes, many organizations partner with external cybersecurity professionals.
When defining a pen test scope of work with an external partner, disengaged internal experts may continually define scope with the same range of IP addresses, types of applications, and testing depth, regardless of constantly changing circumstances. This set it and forget it approach can dramatically undermine both the pen tests' effectiveness and the company's return on security investment, while increasing the chance that an organization is not testing its environment in accordance with appropriate risk or evolving legal, regulatory, and industry frameworks.
As the client, you need to define what assets need to be tested, how often to do so and what type of testing needs to be performed. Bearing in mind that the primary goal of pen testing is not to identify vulnerabilities but to provide assurance in the effectiveness of your vulnerability management processes, such that you can use the use the findings of a pen test report to improve those processes. Here, we explain how to take and retain control of pen testing scope to make the most of your third-party partnerships.
1. Classify your data, define your risk tiers, and perform corresponding assessments.
Organizations must inventory and classify their data according to type, sensitivity, and value to understand what matters, what's at risk, and how to implement controls to mitigate that risk. To create an efficient pen testing approach, a company should perform a business-wide audit to identify critical and high-value areas.
Organizational assets should be defined by tiers that apply to both their business value and the vulnerability, such as by high, medium, and low, or gold, silver, and bronze. Once you've classified your data, you need to determine which type of testing is required at each tier.
By creating a security approach that evaluates risk based on asset or asset value, and focusing the testing on those areas, organizations can reduce the cost of pen testing while increasing its effectiveness. Dividing assets into components and establishing a regular testing cadence also aligns with the concept of Zero Trust Security, an increasingly popular approach that assumes that any application, device or asset must be continuously verified.
Here's an example of how to define applications:
High: Any application that transmits, stores or processes cardholder data in scope for PCI DSS; is a security control for the protection or flow of cardholder data; or could impact the business by X value.
- Medium: All applications that could impact the business by X value.
- Low: Any application that could experience changes without adversely impacting the business.
And here's another:
Gold: Any change or application development that requires immediate pen testing.
- Silver: An asset or development that does not require immediate testing. Instead, a test must be conducted after every X number of changes or after X time period, whichever comes first, as defined by internal risk analyses.
- Bronze: A low-risk asset that undergoes testing at defined time intervals based on internal risk analyses. As long as these time-based tests are conducted, an unlimited number of changes may be implemented between tests without flagging additional requirements.
2. Stay informed on relevant legal and industry frameworks.
Security and compliance frameworks define and group requirements and controls. Here are four of the most common frameworks that you should evaluate. (We'll go into greater detail on PCI DSS below, and the other frameworks will be discussed in further detail in future blog posts.)
PCI DSS
The PCI Data Security Standard (DSS) is a model framework for compliance as well as the regulatory standard for the credit card industry. Designed by the PCI Security Standards Council to help businesses develop a robust payment card data security process, it codifies practices for prevention, detection, and response to security incidents.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework
NIST, a unit of the U.S. Commerce Department, offers a modern framework that is free, with growing acceptance internationally. Designed to provide a flexible and risk-based approach that can be used across many cybersecurity risk management processes, the NIST Cybersecurity Framework is intended to help organizations of any size.
ISO 27000 Series
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly publish the ISO 27000 Series framework, which recommends best practices on information security management, risks, and controls. Companies are expected to incorporate continuous feedback and improvement activities to address evolving threat landscapes and security incidents.
3. Use a smart classification and risk approach to stay on top of evolving framework compliance.
The PCI DSS version 4.0, released this spring, requires organizations to undertake greater scope definition and asset classification. If you've already classified your assets and perform regular risk assessments, becoming compliant with PCI DSS version 4.0 will be far easier.
Here's how the steps above apply to this new framework:
The above version changes are an example of precisely why it's important to know your environment and define what you want tested and when.
Conclusion
As bad actors and threats continue to proliferate and grow ever more creative, organizations must increase their efforts to mount effective responses as well as achieve industry and regulatory compliance. Third-party consultants provide valuable objectivity, the expertise, and the workforce necessary to conduct wide-ranging penetration tests to uncover serious security gaps. Still, internal security professionals must take an active role in their company's pen test strategy and third-party partnerships to ensure success.
If your organization uses a third-party tester and doesn't understand its information environment and how assets are classified and organized, it's time to get up to speed. By carefully defining testing requirements, you can ensure that your strategy adapts as conditions and requirements change. You can also eliminate superfluous testing, allowing more resources to flow to your most critical assets and better protecting your company without blowing your budget.
Like going for a dental check-up, taking the time to define your security environment and prioritize pen testing based on asset classification/risk, can seem like a chore. Neither task can be outsourced, and neither is a one-time commitment. But your future self will be glad you did both regularly.
Find out more about how VikingCloud's Penetration Testing solutions can benefit your organization here https://www.vikingcloud.com/security-testing/penetration-testing.