Why Penetration Testing Is the First Step to Better Prepare for Hacks
Originally published by A-LIGN here.
Written by Joseph Cortese, Technical Knowledge Leader and Research and Development Director, A-LIGN.
The threat landscape is in a constant state of evolution. What may have been a best practice a year ago to help protect your organization against cyber threats may quickly become outdated, no longer providing enough protection on its own.
Consider the type of threats that have impacted organizations of all sizes and across industries, including cybersecurity organizations. Okta, a SaaS-based identity and access management company, fell victim to a third party data breach through the use of compromised credentials, and Shutterfly experienced a ransomware attack. And everyone remembers Colonial Pipeline’s ransomware incident that was the result of a compromised VPN password.
But it doesn’t stop there. Organizations need to take proactive steps to prepare for any threat that could elevate their threat risk, like cyberwarfare. To create and maintain a strong cybersecurity posture, organizations should leverage various assessments to test the strength of their cybersecurity efforts. One of the most effective approaches is to start with a penetration test (pen test).
What Is Pen Testing?
A pen test is a simulated cyber attack that aims to penetrate an organization’s network. Sometimes referred to as “ethical hacking,” a penetration test takes a preventative approach to cybersecurity, evaluating an organization’s infrastructure by utilizing the same tools and tactics threat actors use. This goal-based exercise targets their technology and system’s vulnerabilities to determine if a threat actor can exploit them to gain access.
Penetration tests should include six unique components that explore every part of an organization’s technologies and network. These include:
- NETWORK LAYER TESTING
- WEB APPLICATION TESTING
- API TESTING
- MOBILE APPLICATION TESTING
- WIRELESS NETWORK TESTING
- EMAIL PHISHING, PHONE VISHING, & FACILITY PENETRATION TESTING
Whether you want to assess your organization’s susceptibility to advanced entry tactics or simply wish to evaluate employee security awareness, we can build a customized assessment to meet your intent or businesses requirements.
Though a pen test is extremely effective in helping organizations enhance their cybersecurity efforts, it’s important to note that it is not a one-and-done test. Most organizations conduct pen tests annually or after a big event, like switching from an on-prem to cloud architecture, development changes or feature enhancements that may introduce new functionality, or after hearing about a noteworthy cyberattack.
Relying solely on annual pen tests, however, is bad practice. Since threats emerge and evolve every day, eternal vigilance is needed to ensure organizations don’t lull themselves into a false sense of security. Fortunately, there are options available to fill in the gaps that exist between tests.
Pen Tests + Vulnerability Scans
To maintain an updated cybersecurity infrastructure, organizations should supplement their pen tests with a quarterly vulnerability scan.
What is a Vulnerability Scan?
A vulnerability scan, also referred to as a vulnerability assessment, checks an organization’s network and systems for any known vulnerabilities against a database of vulnerability information. Vulnerability scans can be automated to run quarterly, monthly, or even weekly, and can be highly targeted to detect any known vulnerabilities. This enables organizations to more effectively identify and remediate potential issues associated with a vulnerability in a timely manner.
But it’s important to note that vulnerability scans are only used for detection of existing vulnerabilities; they cannot effectively detect a zero-day exploit. Pairing a vulnerability scan with a pen test is beneficial to an organization: The combination of the two provides a holistic approach to enhancing cybersecurity.
Determine Your Best Practice
There is no one-size-fits-all approach to cybersecurity, but there are steps every organization should take to ensure they are effectively testing their security posture on a regular basis.
Leveraging pen tests is just one part of the equation. Additional steps include:
- Developing and implementing a framework. Do your research into existing frameworks, and leverage an acceptable framework, like NIST, to establish cybersecurity controls to reduce your cybersecurity risk.
- Leaning into a zero trust architecture. Be aware of who has access to your most sensitive resources, and limit that access to only the people who need it.
- Exploring additional cybersecurity assessments. Leveraging other assessments, like a Ransomware Preparedness Assessment, can provide even greater insight into your organization’s level of preparedness for a cyberattack.
- Staying educated on the evolving threat landscape. This means knowing what threat actors will try to use to infiltrate your organization, from phishing to ransomware. (To better understand and recognize various cyber threats, download The Ultimate Cybersecurity Guide.)
It’s Not If, But When
Every organization across every industry is at risk for a cybersecurity incident. Staying ahead of threat actors requires organizations to adopt a tactical approach to cybersecurity. This means knowing the infrastructure, the devices connected to the network, how they communicate, the characteristics of the organization’s data, and who has access to the data.
About the Author
Joseph Cortese is the Technical Knowledge Leader and Research and Development Director at A-LIGN. He is an accomplished cybersecurity leader with a unique and extensive background in dev-ops, cybersecurity, research & development, incident response, and zero-day exploration. Joe has over 16 years of specialized cyber experience in defense, healthcare, and retail industries. Joe is a Certified Ethical Hacker of mobile, embedded, wireless and web-enabled devices and is lead member of a Strategic Innovation Group focused on reverse engineering efforts that resulted in long-term funded government contracts. He has created marketable capabilities using RaspberryPi & Arduino embedded boards, authored white-papers, and offered training for clients and colleagues.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.