When an organization first realizes they might be at risk of a cyberattack, some hire a pen tester to probe internal IT’s boundaries. If the pen tester does compromise the system, it’s used as visible proof for executives to allot budget for expensive technology solutions.
But what if pen tests don’t necessarily prove the need for a new technology implementation? What if they simply prove a system can be compromised? If everything is hackable, when and how should businesses use pen tests to determine gaps?
Ninja stars and ballistic missiles
Penetration testers are the marine corps of the cyber world. They’re highly trained and deadly with a keyboard. At the same time, the crisis they create only focuses on one facet of a businesses’ tech stack, often breaching software without human interaction. Cyber criminals lack the ethics, directives, and focus of a pen tester. Threat actor groups almost always bypass the grunt work of forceful software compromise and trick the information they need out of the target’s employees through human engineering.
Pen tests can be wasted if the boundaries it tests aren’t critical to business function. If the technology breach wouldn’t stop the business in its tracks, a pen tester’s success only proves his or her competence. It’s important to scope the pen test so the ninja-star focus highlights an essential gap a criminal missile would otherwise blow out of the water. So how should an organization scope a pen test?
Indicate multiple security gaps
Instead of asking the pen tester to find a breach, ask for specifics. Can the pen tester hack hospital personnel sign in and extract confidential patient information? Can the pen tester halt supply chain communication by encrypting a manufacturer’s information database? Pen tests can be wasted resources if the technology they test isn’t critical to business function. Several focused pen tests seeking multiple points of entry can be more effective than one expensive expert randomly targeting a business’ entire network boundary.
At Ascent, our pen testers consult directly with customers. When he or she breaches the company’s system, here’s why we do not suggest an expensive technology implementation as the only solution: even though the pen tester discovered a vulnerability, considering probable business threats is an important factor. Pen testers are paid for a full-frontal attack, but not all hackers will invest their own business resources needed to breach. Pen testers do validate your SOC or security system, but they’re only a strand in a complex web of security factors.
Pen test controls
If you’ve considered scope, social engineering, and whether the threat is probable, and your organization does decide to invest in a technology implementation, pen tests can be an essential way to test the control’s efficacy, proving to IT and your board that you made the appropriate changes to resolve the vulnerability.
Security intel meets business decisions
Intelligence is essential to business decisions, not just the military. Solve for a wholistic solution by improving your alert triage process and creating a consistent threat hunting program with reporting that shapes and maximizes investments. When businesses leverage an in-house SOC or outsource to a managed services security partner, data can blind instead of informing decisions. Just like a positive pen test, it can seem like your IT team doesn’t have enough keyboards to fight all the fires.
Don’t get caught in alert fatigue without asking wider questions. Bring on experts who understand your industry, the cyber landscape, and multiple security test vectors. Leverage our security assessments to understand your risk level, or reach out to MITRE@meetascent.com to learn how we channel threat data for concrete business results.