Besides the fact that there is no other way to really test your network, The PCI Security Standards Council finally released version 3. 2 and it now states, “To ensure resilience, service providers are now required to perform penetration testing on segmentation controls at least every six months," according to a new sub-requirement 18.104.22.168. The PCI SSC also added a testing procedure 11.3.4 to ensure that penetration testing is performed by a qualified internal or external third party.
So the once a year PEN test is gone and rightly so, some PEN testers like ShoreBreak Security offer continuous PEN testing. Shore Break CEO Mark Wolfgang says "PEN testing once a year is like mowing your lawn once a year, it does not keep up with reality."
[ ALSO ON CSO: How to be or find a skilled pen tester ]
Wolfgang says he developed their continuous penetration testing service Lifeguard to provide his customers with a continuous risk snapshot, rather than a once-a-year view of risk.
I asked him his definition of a Pen test to which he answered……..A penetration test is a security test where a specific threat actors and threat actions are emulated to determine the risk to specific assets, and the resultant impact to the organization.
We like to rephrase VERIS’, “who did what to what (or whom) with what result?”, to who could do what to what (or whom) with what result?.
A good penetration test emulates a variety of threat actors and threat actions, targeting specific assets, and answers questions like:
- How secure is my network/application/data from…
- my partners that have internal network connectivity?
- my remote employees?
- my employees?
- my system and network administrators?
- physical intruders?
- my users or customers?
Risk can be evaluated at multiple layers, but here are the most common layers we evaluate.
- Risk to assets – what is the risk posed to my assets?
- Risk to data – what is the risk posed to my data?
- Risk to organization or business – what is the risk posed to my business or organization?
A good penetration test team will seek to understand the organization or business drivers so they can properly determine and convey business risk.
The result of a penetration test is an enlightenment of sorts. The client will know the risk posed to their assets, data, and business at the time of testing.
They will know how their networks, computers, and applications withstand and detect real-world attacks. It does not necessarily feel good for those on the receiving end, but it shines a necessary light on organizational weaknesses and results in improved security.
Let’s use the PCI DSS model to explain a few important things about pen testing. Even if you are not required to be PCI DSS compliant; it’s a great data security standard to base your pen testing on as long as you are not in the US DoD or other environment that has mandated other specific frameworks for your organization.
PCI DSS is a well-documented data security standard to help secure the retail credit card environment, the losses from credit card theft and breaches have been huge. Just think about the Target, Home Depot, Neiman Marcus data breaches to begin to see the scope of losses. PCI DSS understands the importance of a pen test and therefore mandates it.
You might say if it’s a good standard then why all the losses? First No Compliance framework will prevent all breaches, it’s the foundation for security, it won’t replace dynamic, intelligent and proactive security. Second according to the Verizon PCI DSS report in 2015, 80 percent of companies required to be PCI DSS compliant fail their interim assessment. Verizon further states: Of all the companies investigated by our forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach.
PCI DSS is well documented and could apply to a non card holder environment, just replace card holder environment with your company’s most confidential data. If your company is required to be FISMA, or HIPAA compliant you use that framework, but to do some short and sweet risk analysis you could start with PCI DSS as an initial assessment. A PCI DSS rule for all to live by is:
Three simple rules about confidential data:
- If you don’t need it, don’t store it.
- If you really need it, protect it when stored.
- If you do store it, securely delete it when you’re done with it.
The following are the basics of PCI DSS and good data security framework.
Penetration Test vs a Vulnerability Scan
There is a huge difference in running a vulnerability scanner and actually having the hacking skills to pen test and break applications and networks, all without disrupting the business or its operations.
We see too many clients that either don’t pen test due to cost or they think internal or external scanning alone is the same. As mentioned above pen testing requires lots of skill and experience and each network and application is different. Let’s now look more closely at a pen test. Pen testing is organization and system specific. Ask yourself what is my company trying to protect? How is it all connected? How could a potential cyber-criminal get to our data? A good pen tester can answer these questions better than anyone else in the world. Some areas a pen tester looks at are:
- web application penetration testing
- network penetration testing
- application penetration testing
- hardware penetration testing
- modem “war dial” penetration testing
- social engineering
- physical penetration testing
What are the core competencies of a professional pen tester?
My colleague and CEO of Shore Break security states it like this:
Expertise in at least one operating system
A pen tester must be knowledgeable in as many operating systems as possible, but must be an expert in at least one. What good would it be for the tester to compromise a Solaris server and not know what to do with it? Or if he doesn’t understand where the passwords are located, how services are managed, where the log files are, etc. Expertise in one operating system will provide a solid foundation for others.
A competent penetration tester is the master of at least one operating system but can find his way around all of them.
Expertise in networking and protocols
It seems obvious that a pen tester must be experts in networking and protocols, as those are the mediums on which he conducts his attacks.
A competent penetration tester should know the service that operates on pretty much any port, on every protocol. They should be intimately familiar with all layers of the stack. They should be equally comfortable analyzing layer 2 and layer 7 traffic, and everything in between.
They should have a solid understanding of Intrusion Detection/Prevention Systems, routing, and firewalls.
A competent penetration tester is an expert in networking and protocols.
Expertise in information security
Operating systems and networking are the foundational elements for information security. Without this solid foundation, a penetration tester could not be competent.
A pen tester must be an expert in Information Security. Not from an attacker’s perspective, but from a defender’s perspective. After all, how could a pen tester make a recommendation if he can’t relate to the defender’s job? From specific technologies to best practices, a proficient pen tester must be a master of his field.
Expertise in information security testing tools
Perhaps the easiest skill to develop these days is competency in penetration testing tools. Long ago, before exploit frameworks and GUI tools for everything, one had to know how to find reliable, trustworthy exploit code. Then read it, compile it, test it, and run it from the command line.
Compromising vulnerable systems is easy – it’s what comes after that’s the hard part.
Compromising systems without wreaking havoc on the target systems/network requires the foundational knowledge and specific tool expertise.
They will know the effectiveness of their policies, procedures, and training.
They will know how their security staff respond to real-world attacks.
They will know the impact of any particular vulnerability, and will know the path forward to greater security.
So whether you fall under PCI DSS, HIPAA, FISMA, or NIST Audit frameworks, If you have valuable data on site or in the cloud, in one or multiple locations, are a billion dollar a year business or an SMB, you need a pen test. It’s the one test that will tell you more than any other activity or test you could ever do on your own. It’s also the one test that will verify all security and audit functions that relate to unauthorized access via internal or external networks and systems.
After all you are hiring the best ethical hacker available, he or she will likely get in, but the good news is that they won’t actually steal your data. In fact they will give you the plan to prevent the most likely intrusions into your organization and that should help you sleep better at night, especially if you are the CIO or security manager.
This article is published as part of the IDG Contributor Network. Want to Join?