Penetration testing is a critical step in any IT project. But as I have watched countless enterprises pursue penetration testing as they've rolled out new apps, servers, cloud-based tools, and network components, it's become clear that companies often have misplaced assumptions about what penetration testing should be and what it's meant to do.
Often, an implementation is moving along. Project managers coordinate with vendors and internal IT. As things speed along toward launch, someone moves down the spreadsheet and sees that penetration testing deliverable, waiting for somebody to handle it.
When penetration testing is treated like an obligatory part of a launch—just another box on the spreadsheet to check—the question of why an organization is doing the test in the first place is forgotten.
It's unfortunate because conducting a penetration test without really understanding what you're supposed to get out of it sets companies and IT pros on a fruitless, not to mention insecure, path.
What is the purpose of penetration testing?
A penetration test is meant to provide visibility and context into the cybersecurity risks out there, giving businesses and project stakeholders the opportunity to decide which ones to anticipate, focus on, patch, and fix.
If businesses understand this, IT will stop looking like the department of no. It's not about shutting down projects—it's about furnishing an enterprise with actionable information so it can make the right decisions.
Let's explore where both businesses and IT pros can go wrong when strategizing and deploying a penetration test. We can then see, at every step of the process, how both businesses and IT pros can conduct penetration tests in a meaningful, actionable way that assures the implementation of a secure solution.
Penetration testing isn't just finding every vulnerability
Operating under the paradigm I discussed above, business leaders understand how a penetration test will happen. They imagine that a penetration tester will run their tools and develop a list of vulnerabilities. Then, IT will go down the list and patch each of those vulnerabilities—resulting in a perfectly secure network.
But perfect security like this doesn't exist. I've worked with countless businesses, and I've never known one to successfully reach this Utopian state with every imaginable vulnerability plugged.
That's because penetration testing is about finding known vulnerabilities and providing context that helps business leaders decide what needs to be remediated and what can be accepted.
Skilled penetration testers don’t just leave a stack of vulnerabilities on the desk of a project leader without context. Instead, they present findings in a way that allows them to understand and make business decisions about vulnerabilities. That's because …
Penetration testing is a risk mitigation technique
There's a reality in cybersecurity that's sometimes hard to translate into business speak: not every threat needs to be protected against. A capable, motivated actor is needed to turn a vulnerability into a cyberattack (and I'll explore this in detail in my forthcoming book, Cyber Risk Management).
An executive might scoff at this—after all, they want the best security, and the best security should mean being able to block every threat.
But it's easier to conceptualize if you think of it in terms of your safety. In a given day, there are millions of very rare, hazardous things that could happen. You could, for instance, walk by a building leaking some poisonous gas. But given the extreme rarity of such an event, it would be a wasted investment to buy a gas mask and somewhat silly to wear it. A potted plant could fall off a windowsill and land on your head, but this doesn't justify wearing a hard hat at all times.
Many of the vulnerabilities in cyberspace—especially those that make headlines—are like those extant threats out there in the physical world that you probably won't ever encounter.
Zero-day exploits executed by nation-state actors do happen. Still, the chances that they will be aimed at a micro-SMB (small or mid-sized business) are low in likelihood, given the effort, cost, and perseverance required for hackers to make such an attack happen. So, a micro-SMB without a good reason (and there are some) to expect to be targeted by a nation-state actor would probably not want to spend a huge amount of resources prepping for one and would be better served focusing on more pressing threats.
This is a big reason why just listing vulnerabilities isn't the right approach. Instead, penetration testing should be performed in conjunction with red teaming, which analyzes security risks with the threat actor's perspective in mind.
Red teaming gives vital context to a penetration test
Knowing who is targeting an enterprise for a hack and understanding the motivations and resources of that individual or group is key to understanding what sort of hacks a business should expect, plan for, and defend against.
That's why red teaming—in which a cybersecurity pro plays the role of different types of threat actors intending to break into a network—is so central to increasing the effectiveness of a penetration test.
Suppose a cybersecurity pro knows, for instance, that the most likely and realistic threat to the SMB comes from disgruntled employees. In that case, they'll put themselves into that mindset—snagging laptops off desks in the office to see what they can find and so on.
Instead of generating a giant list of vulnerabilities, they create a smaller, pointed list that the people targeting the enterprise will likely try to exploit.
In fact, the more realistic vulnerabilities that appear on such a penetration test may not even show up if an IT security team isn't poking and prodding at the network with a hacker-like level of cunning and curiosity.
Red teaming helps add critical context to a penetration test. And context is what businesses need to understand what steps to take. For a red team, the goal is to get their hands on the information they want however they can. Penetration testing has a narrowly defined scope; for red teaming, the scope is defined only by what information the red teamer needs—they set the goal posts.
Remembering third-party relationships is also critical
Just like red teaming bolsters the value of a penetration test by finding those holes in the system that won't appear on a straightforward, by-the-books assessment of infrastructure, so does assessing that the vendors you're working with to make sure they have their cybersecurity ducks in a row.
While you probably won't be able to kick the tires on a company's infrastructure too much, you can ask questions to ensure they're taking industry-standard precautions.
For business leaders, since certifications carry such weight in validating the skills of an IT professional, determining that a partner has CompTIA-certified IT staff working on and securing their infrastructure can act as shorthand to mean they're doing it right.
It's also critical to check in on things like the overall robustness of the company's approach to data privacy, the PCI-DSS compliance of their payment ecosystem, and the implementation of a structured information security management system.
Communication is the better part of penetration testing
When IT pros think about penetration testing, they may think about port scanners and other tools of the trade. Those things are all, of course, important. But knowing how to use these tools and interpret their feedback is only part of the responsibility.
Terms like port scanning, SQL injection, and the like are well-established parts of the cybersecurity vocabulary. But such terms don't convey much for a CEO, chief financial officer (CFO), or marketing executive.
To do penetration testing right, a cybersecurity pro has to take that threat actor–based understanding of vulnerabilities and the likelihood they'll be exploited and communicate it to management in a way that makes sense to them.
Understanding the level of technical knowledge of your audience and knowing how to report the results of a penetration test to an audience are built into the exam objectives of CompTIA PenTest+. Taking the necessary steps to secure an app and being able to clearly explain why a vulnerability is dangerous and how it is best approached is just as important as being able to recognize it.
CompTIA PenTest+ is now DoD approved
CompTIA PenTest+ is now approved by the U.S. Department of Defense (DoD) 8570 for three cybersecurity job categories. Learn more
Penetration testing should set up departments to own vulnerabilities
A final, critical difference in how penetration testing often goes, and how it should, is that, unlike businesses often believe, the results of a penetration test aren't just IT’s to manage.
Take, for example, a situation in which a marketing department has, during a campaign, publicly made available a spreadsheet featuring key information about executives' personal hobbies. A hacker could find such information and use it to target a spear phishing email.
A high-quality IT pro would discover this during a penetration test. But IT probably doesn't manage the website or control how marketing uses data. Marketing has to be made aware of the vulnerability so it can take the necessary steps to secure things.
Just as communication skills are critical for the IT pro, receptiveness is critical for the business. That means having a point person in each department who can take action to fix the vulnerabilities IT points out.
IT pros and businesses: Shifting away from checkbox thinking
The strategy above paints a very different picture of penetration testing than the one often deployed. It's one that successful businesses—and quality IT pros—will continue to adopt as cybersecurity continues to be the top priority for any business.
For cybersecurity professionals, it means harvesting information on real potential threats, not just far-out possibilities, and communicating what those threats mean in a way companies can understand.
For organizations, it means setting up each department to act based on a penetration tester's findings.
This synergy between IT and the rest of the company is critical in keeping apps, networks, and everything else cybersecure—at the build-out stage and beyond.
Validate your penetration testing skills with the new CompTIA PenTest+. Download the exam objectives today