Penetration testing is not without risks. This article explains some of the concerns organizations should consider.
Where do I start with security testing?
This knowledge center article is designed to help people get started in assessing their organization's security posture.
Here at Secure Ideas, organizations are often coming to us as they realize that their security needs improvement. They are looking to have someone help them ensure that they are doing the right things and protected against typical attacks.
There are quite a few different reasons for this request from clients, many of them overlapping. Maybe it's due to a recent ransomware attack or a breach at one of their partners. We often have people come to us because of the attacks they experience or hear about, have them questioning if they are doing the right things. Another significant reason companies will start to have their security validated is the changing legal and compliance requirements. More organizations are requiring their vendors and partners to improve their security or prove their controls.
So, where do you begin if you are looking to get a security assessment or audit performed? And how do you decide without getting overwhelmed by the choices? Well, that is easy! You are already in the right spot for the answer to the question.
The first step is to understand what you need. We get asked all the time for a penetration test or a security audit. But when we start digging into the audit's goal, we find that this may not be what is needed. This confusion is especially common for organizations that are just beginning to evaluate their cybersecurity needs and controls. Let's look at each of the security assessment types and why they may or may not be what you need.
The most common assessment we get asked for is a penetration test. (This is probably due to this being one of our primary services). While we have a number of articles discussing every aspect of pentesting, we'll use the definition from the National Institute of Standards and Technology (NIST):
"Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies."
While penetration testing is an excellent service (we may be biased), it is not the best first step. The concept of finding out what an attacker would see or be able to do against your organization is helpful as you improve. But if this is the beginning of your security journey, the test will simply point out what you already know. And it isn't as comprehensive as some of the other options you have.
Penetration tests work best when you have a security program, even if it isn't where you want it to be. The results of the test should be able to be handled and implemented. Of course, you should also go with a penetration test if you are required to have one, as it is often a mandatory part of compliance programs.
The second most common request is for a security audit. Audits help improve an organization's overall security posture, but they are often confused for other assessments or tests. So what is an audit? ISACA defines it as:
"Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met."
Most of the time, security audits are part of a wider audit such as a SOC 2 Type 2 or a PCI-focused audit. These are specific assessments required as part of various compliance programs. They are only needed if your organization is working toward the particular compliance requirement or is under certain contractual constraints. The problem is that many people will misuse the word audit when they mean assess or test.
A security assessment, or security architecture review, is commonly meant when people ask for a security audit. Instead of the formal inspection, they need to have someone work with them to assess the security controls, policies, and procedures and recommend the areas to improve. We often recommend security assessments more than penetration tests since the results for security assessments tend to be more comprehensive.
Security assessments are cooperative projects where our consultants will interview your staff, review configurations and documentation, and then outline the weak areas and where the organization is doing the right things. We base this assessment on quite a few different baselines and standards and our experiences as IT professionals and security consultants.
NIST defines a vulnerability assessment as:
"Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation."
This means a process of testing our systems for known issues and vulnerabilities. Organizations should use vulnerability assessments to keep an eye on their current security posture and determine where flaws exist. There are different goals of a VA program.
One, your organization should be running assessments against both the external-facing systems and the internal network. By testing both, you get a more comprehensive view of where problems can crop up.
Two, if your organization is developing applications or products, then making vulnerability assessments part of your development lifecycle or your CI program is essential. We cover the reasons why you need vulnerability assessments in a different article.
The final type of security assessment we will examine is a gap analysis. Gap analyses are focused projects based on an industry standard. They are often the first step to provide next steps guidance.
The main concept of a gap analysis is to run through a series of questions to determine if your organization meets the requirements or has implemented the controls related to an industry baseline. For example, CIS has long provided a list of the 20 controls. During a gap analysis, Secure Ideas would interview your staff. These conversations would determine how and what you are doing for each of these items.
So what is the right path for you? Based on the above, we find that most organizations will follow one of the four tracks.
Gap Analysis -> Vulnerability Assessment -> Penetration Test
First, if you are just starting, we recommend doing a gap analysis initially and then starting your vulnerability assessment program. After you have implemented the fixes from those first two steps, a penetration test would be the next step.
Security Assessment -> Penetration Test
If your organization already has a security program, the path we recommend is a security assessment followed by penetration testing. You begin by doing the cooperative project to assess all of your controls. Then afterward, you can schedule the attacker's view by having our consultants perform a penetration test. This test could be of your entire organization or specific pieces such as your primary applications.
Penetration Test or Security Audit
The last two options are similar and performed for the same reasons. If you have a requirement that calls explicitly for a penetration test or security audit, that is the path you need to take. This may be due to a client's contract or a need to meet a particular compliance requirement.
We look forward to helping you, no matter which of these paths you take. If you still aren't sure, feel free to reach out and discuss it with one of our security consultants.