With countless organizations falling victim to cyber breaches, it seems that security groups are often unprepared to defend against attacks. Being prepared means understanding which types of attacks to expect and being able to detect and withstand an attack.
Many organizations have implemented cyber controls, but they lack evidence their controls work. Implementing controls does assure that network or security operations can detect malicious attempts as they are launched, but controls cannot effectively block the attempts. Penetration testing, or pen testing, is effective for detecting cyberattacks, stopping malicious activities and initiating response activities as soon as possible.
Pen Testing is Offensive
Pen testers mimic cyber attackers in a controlled manner, using commonly available tools to gain information about networks, systems and applications. The tools provide a launching pad to circumvent controls or exploit vulnerabilities. The objective of pen testing—whether technical or social engineering—is to demonstrate that systems can be compromised and sensitive, confidential resources are at risk. While it provides information on the effectiveness of cyber defenses, pen testing is offensive.
Pen testing should be part of every cyber defense program because it demonstrates that system defenses can be defeated. It shows what effort is required to complete an attack, the attacker’s level of sophistication, the complexity of methods needed and the time required. Pen testing helps enterprises understand if security or network operations personnel are able to detect attacks and the level of noise required before an attack is evident.�
These tests provide teachable moments when reviewing the techniques used in a simulated attack. System administrators who believe their protection mechanisms cannot be breached are often surprised when the mechanics of an attack are laid out to show how intruders moved from system to system, exploiting permissions on each hop, until they essentially owned the network.
Snapshots of Defenses
Pen testing, however, does not address the full range of activities required for an effective cyber defense. It provides useful, but limited, insights and should be considered within the context of a holistic approach to cyber defense. Like any testing, pen tests are snapshots of defenses that are limited by the tester’s capability, tools, methods and time. An ineffective attack method today may be more effective on another system or at another time. Effective defenses today may be ineffective tomorrow because of administrative errors or other factors.
Unlike attackers, pen testers work within the confines of an agreed-to scope, client budget, laws and ethics. Persistent, advanced attacks by nation-states, organized criminal bands and hacktivists don’t have those limitations. Effective cybersecurity programs must be able to identify the environment being protected, protect assets, detect anomalies and threatening events, respond to incidents as soon as possible, and finally recover.
Essential to Cyber Security
Pen testing—while still an essential part of an effective cybersecurity program— identifies the environment from a technical perspective only within the scope of the examination. It tests the ability to protect a system but does not determine security failure root causes. Operations and system administrators may learn from the tests to determine what should have been detected, but this is not often part of the scope.�
It also does not help cyber incident response or recovery. Attackers have the time and opportunity to plan and launch multi-element attacks. They only have to find one method that works. Cyber defenders must be prepared for all attacks, all the time, and have 100 percent effective detection and deterrence mechanisms.
The NIST Cybersecurity Framework, however, does offer a holistic protection program that includes identification, protection, detection, response and recovery. As part of creating a cyber program, CISOs need to ensure those who build, deploy and manage technical infrastructure have the knowledge and tools to be part of this holistic, effective defense solution.
If there are sufficient resources, pen testers can be part of the security staff providing ongoing assurance of technical controls. Where resources are more limited, pen testing can still be part of an ongoing cyber-assurance program. All organizations should recognize that while pen testing has value, they must embrace the more holistic model of defense. This provides the stable, attack-resistant infrastructures the digital age demands.
(About the author: Ron Hale is chief knowledge officer at the ISACA. This post originally appeared on his ISACA blog, which can be viewed here).