Penetration testing is a critical step in any IT project. But as I have watched countless enterprises pursue penetration testing as they've rolled out new apps, servers, cloud-based tools and network components, it's become clear that companies often have misplaced assumptions about what penetration testing should be and what it's meant to do.
Often an implementation will be moving along. Project managers will be coordinating with vendors and internal IT. And as things speed along toward launch, someone will move down the spreadsheet and see that penetration testing deliverable, waiting there for somebody to handle it.
When penetration testing is treated like an obligatory part of a launch – just another box on the spreadsheet to check – the question of why a company is doing the test in the first place gets forgotten.
And it's unfortunate, because doing a penetration test without really understanding what you're supposed to get out of it sets companies and IT pros down a fruitless, not to mention insecure, path.
So, what is the purpose of penetration testing?
A penetration test is meant to provide visibility and context into what cybersecurity risks are out there. To give businesses and project stakeholders the opportunity to decide which ones are important to anticipate, focus on, patch and fix.
If businesses understand this, then IT stops looking like the department of no. It's not about shutting down projects – it's about furnishing an enterprise with actionable information so they can make the right decisions.
Let's explore where both businesses and IT pros can go wrong when they're strategizing and deploying a penetration test. We can then see, at every step of the process, how both businesses and IT pros can penetration test in a way that's meaningful, actionable and fulfills its promise of assuring the implementation of a secure solution.
Penetration Testing Isn't Just Finding Every Vulnerability
Operating under the paradigm I discussed above, business leaders have a picture in their minds about how a penetration test will happen. They imagine that a penetration tester will run their tools and come up with a list of vulnerabilities, and then IT will then go down the list and patch each of those vulnerabilities – and this will result in a perfectly secure network.
But perfect security like this doesn't exist. I've worked with countless businesses, and I've never known a single one to successfully reach this Utopian state, with every imaginable vulnerability plugged.
That's because penetration testing is about finding known vulnerabilities and then providing context that helps business leaders decide what needs to be remediated and what can be accepted.
Skilled penetration testers don’t just leave a stack of vulnerabilities on the desk of a project leader without context – rather, they present findings in a way that allows them to understand and make business decisions about vulnerabilities. That's because …
Penetration Testing Is a Risk Mitigation Technique
There's a reality in cybersecurity that's sometimes hard to translate into business speak; not every threat that exists needs to be protected against. There needs to be a capable, motivated actor to turn a vulnerability into a cyberattack (and I'll be exploring this in detail in my forthcoming book, Cyber Risk Management).
An executive might scoff at this – after all, they want the best security – and the best security should mean being able to block every threat out there.
But if you think of it in terms of your own personal safety, it's easier to conceptualize. In a given day, there are millions of very rare, very dangerous things that could happen. You could, for instance, walk by a building leaking some sort of poisonous gas. But given the extreme rarity of such an event, it would be a wasted investment to buy a gas mask, and somewhat silly to walk around wearing it. A potted plant could fall off a windowsill and land on your head, but this doesn't justify wearing a hardhat at all times.
A lot of the vulnerabilities in cyberspace – especially the ones that make headlines – are like those extant threats that are out there in the physical world that you probably won't ever encounter.
Zero-day exploits executed by nation-state actors do happen, but the chances that they're going to be aimed at a micro-SMB (small or mid-sized business) are low in likelihood, given the effort, cost and perseverance required for hackers to make such an attack happen. So, a micro-SMB without a good reason (and there are some) to expect to be targeted by a nation-state actor would probably not want to spend a huge amount of resources prepping for one and would be better served focusing on more pressing threats.
This is a big reason why just listing vulnerabilities isn't the right approach. Instead, penetration testing should be performed in conjunction with red teaming, which analyzes security risks with the threat actor's perspective in mind.
Red Teaming Gives Vital Context to a Penetration Test
Knowing who is targeting an enterprise for a hack and understanding the motivations and resources of that individual or group, is key to understanding what sort of hacks a business should expect, plan for and defend against.
That's why red teaming – in which a cybersecurity pro plays the role of different types of threat actors intending to break into a network – is so central to increasing the effectiveness of a penetration test.
If a cybersecurity pro knows, for instance, that the most likely and realistic threat to the SMB comes from disgruntled employees, they'll put themselves into that mindset – snagging laptops off desks in the office to see what they can find and so on.
Instead of generating a giant list of vulnerabilities, they create a smaller, pointed list that the people targeting the enterprise are likely to try to exploit.
In fact, the more realistic vulnerabilities that appear on such a penetration test may not even show up if an IT security team isn't poking and prodding at the network with a hacker-like level of cunning and curiosity.
Red teaming helps add critical context to a penetration test. And context is what businesses need to understand what steps to take. For a red team, the goal is to get their hands on the information they want however they can. Penetration testing has a narrowly defined scope; for red teaming, the scope is defined only by what information the red teamer needs – they set the goal posts.
Remembering Third-Party Relationships Is Also Critical
Just like red teaming bolsters the value of a penetration test by finding those holes in the system that won't appear on a straightforward, by-the-books assessment of infrastructure, so does assessing that the vendors you're working with to make sure they have their cybersecurity ducks in a row.
While you probably won't be able to kick the tires on a company's infrastructure too much, you can ask questions to ensure they're taking the industry-standard precautions.
For business leaders, since certifications carry such weight in validating the skills of an IT professional, determining that a partner has CompTIA-certified IT staff working on and securing their infrastructure can act as shorthand to mean they're doing it right.
It's also critical to check in on things like the overall robustness of the company's approach to data privacy, the PCI-DSS compliance of their payment ecosystem and the implementation of a structured information security management system.
Communication Is the Better Part of Penetration Testing
When IT pros think about penetration testing, they may think about the port scanners and other tools of the trade. Those things are all, of course, important. But knowing how to use these tools and interpret their feedback is only part of the responsibility.
Terms like port scanning, SQL injection and the like are well-established parts of the cybersecurity vocabulary. But for a CEO, chief financial officer (CFO) or marketing executive, such terms don't convey a whole lot.
To really do penetration testing right, a cybersecurity pro has to take that threat actor–based understanding of vulnerabilities and the likelihood they'll be exploited and communicate it to management in a way that makes sense to them.
Understanding the level of technical knowledge of your audience and knowing how to report the results of a penetration test to an audience are built into the exam objectives of CompTIA PenTest+. To take the necessary steps to secure an app and being able to clearly explain why a vulnerability is dangerous and how it is best approached is just as important as being able to recognize it.
Penetration Testing Should Set Up Departments to Own Vulnerabilities
A final, critical difference in how penetration testing often goes, and how it should, is that, unlike businesses often believe, the results of a penetration test aren't just IT’s to manage.
Take for example a situation in which a marketing department has, during the course of a campaign, made publicly available a spreadsheet featuring key information about executives' personal hobbies. Such information could be found by a hacker and used to target a spear phishing email.
The high-quality IT pro would discover this in the course of a penetration test. But IT probably doesn't manage the website, nor does it control how marketing is using data. The vulnerability is something marketing has to be made aware of so they can take the necessary steps to secure things.
Just as communication skills are critical on the part of the IT pro, receptiveness is critical on the part of the business. That means having a point-person in each department who can take action to fix the vulnerabilities IT points out.
IT Pros and Businesses: Shifting Away from Checkbox Thinking
The strategy above paints a very different picture of penetration testing than the one that's often deployed. And it's one that successful businesses – and quality IT pros – will continue to adopt as cybersecurity continues to be the top priority for any business.
For cybersecurity professionals, it means harvesting information on real potential threats, not just far-out possibilities, and communicating what those threats mean in a way companies can understand.
For companies, it means setting up each department to act based on a penetration tester's findings.
This synergy between IT and the rest of the company is critical in keeping apps, networks and everything else cybersecure – at the build-out stage and beyond.