The Transportation Security Administration (TSA) found itself the subject of unwanted headlines in June 2015 when it failed to detect 95% of the fake bombs and other weapons undercover agents brought through airport security checkpoints. The resulting public outcry drove the TSA to improve screener training and to institute new procedures to correct its security lapses.
Such security testing, of course, isn’t limited to the physical world. Penetration tests (or pen tests) have long been used by organizations seeking to identify and patch vulnerabilities in their networks and IT systems. As the volume, diversity and sophistication of cyberattacks has escalated – and as the sensitivity and value of digital assets has grown – pen testing has become even more important.
Pen tests can vary considerably in their type, complexity, cost and objectives. External tests aim to probe the ability of domain name servers, email servers, firewalls and other systems to repel outsider incursions. Internal tests attempt to mimic attacks inside the firewall by privileged users who may use their access rights to steal information or sabotage systems. Social engineering tests try to trick employees into opening attachments or clicking on URLs that can expose their organization’s systems to malware incursions.
Your CSO’s security team can, and should, routinely run tests against your own infrastructure, but occasionally hiring outside experts to mount the cyberassaults can prove especially valuable. You can give third-party testers lots of information about the systems they’ll be attacking or only give them the mandate to compromise your cyber protections and identify high-value digital targets in any way they can. Such “blind” tests can be made “double blind,” where only a few of your own company’s employees are told of the pending pen tests.
This type of “white hat” or “ethical hacking” can serve purposes beyond exposing potential security weaknesses. For example, pen tests that circumvent existing security controls can help drive home to C-suite and boardroom executives the importance of funding security upgrades. They can also give extra incentive to improve – “Thank goodness this was only a test!” – to security pros who fail to execute their jobs properly, or to employees whose careless actions open a door for attackers.
One additional area that can benefit greatly from pen testing is that of incident response. Pen tests that breach perimeter or internal controls can serve to cause your incident response team to spring into action (whether the team knows the breach is a test or not).
As detailed in a recent AT&T report, incident response is a multifaceted, cross-organizational undertaking that requires rapid and well-coordinated actions. Companies routinely run tabletop exercises in conference rooms to train and test their incident response teams. Responding to an actual breach caused by a pen test incursion can add real-world urgency to the incident response process.
If there’s a shortcoming of pen tests it’s that they just provide a point-in-time snapshot of your organization’s vulnerabilities to specific types of attacks. As we all know, IT systems and networks constantly evolve, as do the tools and techniques of hackers and cybercriminals. That’s why pen testing needs to be a recurring part of your cybersecurity strategy. Done right, and done regularly, pen tests can help you shore up your defenses before the real attackers arrive.
Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.