Penetration Testing Has Come Of Age – How to Take Your Security Program to the Next Level

Today it's hard to find an organization that operates without penetration tests. Thanks to heightened awareness on the part of the management and compliance standards such as PCI DSS, penetration tests are on every CISO's to-do list.

Multiple varieties of penetration tests have emerged, including Black Box, White Box and even Grey Box, covering different aspects of IT setup: External Network, Internal Network, Wireless Network, Web Application, etc. Many organizations have a detailed plan to perform a combination of these tests every year.

I think this is the right time to pause and ask a few questions:

  1. What value are you deriving from the annual penetration tests?
  2. Could you put some of that budget to a different and better use (Compliance permitting)?

Penetration tests attempt to answer the question, "Can my controls be breached?" A report with no high- or medium-risk findings offers reassurance that everything is under control and that security controls are operating as intended - at least according to popular opinion.

But the question, "Can my controls be breached" makes several inherent assumptions - and not all have merit. They are:

  1. My controls are not already breached at the time of testing.
  2. Breaches happen only because some control is either missing or misconfigured, and a penetration test would find that out.
  3. Penetration testing comprehensively tests all possible routes into the network.

Mandiant assesses hundreds of organizations around the world every month, and we find 95% of them "breached" with clear evidence of advanced attackers controlling their internal systems. We frequently find that the breach happened in spite of traditional controls operating effectively. So it's not that the IPS was down or that a firewall was misconfigured and that's how the attacker got in. The attackers employed advanced means to bypass these controls and got in without being noticed.

This shouldn't come as a surprise to anyone. If I were to use an analogy, getting breached is like falling ill. Everyone gets sick from time to time, and by the same token, every organization can become a victim of an attack and get breached.

So if this were your health, a prudent question would not be, "Can I fall sick right now?" The answer to that question may depend on a multitude of factors that could be evaluated to determine your current susceptibility to illness. We know that despite your diet, exercise, sleep patterns, etc., at some point or the other, you will fall sick. The prudent question to ask is, "Am I already sick but unaware of it?" And that's the real question we seek to answer when we go for our annual health checks.

By the same token, if you are really concerned about the health of your network, the most important question to ask is, "Am I unaware of an existing breach?" You should ask this question at least once a year and have experts assess your network for signs of a breach - just as you have them assess your network for signs of controls weakness.

Mandiant's Security Consulting Services offer such a service called a Compromise Assessment. Mandiant's Compromise Assessment is a unique service that allows you to evaluate your networks for the presence of advanced attacker activity.

Compromise Assessments have helped organizations identify and address issues that, in some cases had existed undetected for years and enabled the ongoing theft of valuable intellectual property. You can read more about the service here and contact us if you are interested. , In addition, you should consider augmenting penetration tests with Compromise Assessments to ensure that you are not focused on protecting your network perimeter while attackers are embedded in the internal network. Another scenario where a Compromise Assessment would be prudent is when you are taking over as the CISO of a new organization. In such a situation, a Compromise Assessment would help you ensure that you are inheriting a clean, healthy network.