Penetration testing: a how-to guide for enterprises
A new approach to traditional challenges
Penetration testing is the cornerstone of any cyber security strategy, yet enterprises often don’t get an optimal outcome from their pen test engagements. In this blog I’ll be looking at the three main reasons behind this, and also suggesting an alternative way of working that could vastly improve security outcomes whilst also increasing business value.
Understanding complex enterprise challenges
The first issue is the technical complexity of the infrastructure underpinning enterprise operations. Enterprise IT infrastructure is all too often a sprawling and chaotic mix, thanks to a history of legacy equipment, acquisitions, fast growth and now not only hybrid environments but also multi cloud workloads. This makes it difficult for a pen test provider to understand the big-picture of your technical landscape, which hinders the planning and execution of a test for customers, often leading to isolated testing. For example, the deep technical complexity can prevent proper planning and clarity, meaning the pen tester’s focus is dictated by budget, not by security objective. This is often also because the business looks at each project as an isolated security risk, or are not even thinking about that at all, and so it becomes just part of a project checklist.
Next is the issue of finding a reputable and reliable penetration testing provider that an enterprise can trust. Crucially, the provider should focus on delivering an innovative service that adds value compared to a standard test. But with so many security providers in the marketplace, and pen tests starting to become commoditised, what should you really look for in a provider?
Lastly, there is the challenge of the provider understanding the strategic aims behind your penetration test or how the product/infrastructure works under the hood. Without this understanding, the test will be poorly aligned to your corporate goals and is unlikely to result in sound business value. Is a penetration test really what you’re looking for, or do you actually want to test your security in other ways? For example, an enterprise may be looking for an attack simulation to test the security investments they have made, but the pen tester is focused on identifying the path of least resistance to gaining access to sensitive data, a common test can purely highlight vulnerabilities that can be identified with a quick review of patch levels , config review and a good asset inventory.
We can sum up the three main challenges as follows:
Solutions to improve your testing outcomes
Having the technical infrastructure fully understood should be a prime consideration when procuring your penetration test. Your vendor should show an understanding that enterprise and SME tests are fundamentally different. For example, enterprise engagements typically include more hybrid and legacy infrastructure which demand a highly segmented scope, compared to the traditional SME ethos of ‘test everything’.
It should also appreciate enterprise-centric problems such as shadow IT, where temporary and development environments are left unused, unnoticed and unsecured. As revealed in the Bulletproof 2021 Cyber Security Industry Report, 85% of honeypot brute-force attacks used just 3 default credentials. This shows that common default credentials are a successful attack vector for hackers, which greatly heightens the risks of shadow IT.
Selecting a partner with a stand-out reputation will reap far more benefits that choosing one based on market share alone, where even larger organisations might find themselves as ‘just another customer’. Certification with penetration testing security standards is a useful yardstick, but their ubiquity has also levelled the playing field. So in addition to certifications, we recommend enterprises seek vendors who demonstrate insight and knowledge of the intricacies of the subject. Look for providers who release regular industry research reports and whose testers have multiple CVEs to their name, as these are excellent indicators of expertise and passion.
Blogs too can be a good gauge of the prevailing attitudes within an organisation. A penetration test provider that blogs about interesting and novel projects is likely to be a more innovative and credible organisation than one whose blogs are generic or sales focussed. Lastly, look for a partner who has broad experience in other areas, such as SIEM, as this will give a wide-angle understanding of enterprise problems and niche skills through team collaboration and customer insights.
Good penetration testing outcomes stem from working closely with a partner that grasps yours organisation’s strategic security goals in addition to understanding your technical implementation. It is vital that you find a pen test partner who takes the time to ask questions about the aims and objectives driving the test, rather than one who simply pushes you to sign a contract.
Equally, you must be prepared to answer the questions honestly. This consultative approach can uncover the real drivers behind the test, and you might find that what your organisation really needs is an adversary simulation (red teaming), or to test security readiness (incident response test). Not being a cookie-cutter customer is the only way to get real value from a penetration testing project.
So now we can sum up the 3 answers to the challenges. You should find a pen test partner who:
- Shows an understanding of enterprise IT challenges
- Demonstrates expertise, insight and passion
- Asks questions about the strategic aims underpinning the test
A new way to approach pen tests
Traditional pen test schemes can struggle to integrate smoothly with modern IT methodologies, such as agile software development and devops practices. This creates inefficiencies in testing and security oversights, lowering a pen test’s value and often giving a false sense of security. To avoid security risks and prevent data breaches, enterprises need to change the way their penetration testing projects are procured and run in the modern age of computing.
Enterprises should take a holistic approach to security and run penetration tests as part of an overarching strategy. This means penetration tests should be objective-based and procured as part of a wider on-going security project. In the example of an agile software development lifecycle (SDLC), testing key sections of the application as they change rather than always trying to cover the whole application will make the test more robust and focused. If done well it can reveal if security flaws are a result of a particular developer’s bad habits or from a poor coding culture. Addressing these issues directly will drastically increase the security of the application as pen testing becomes part of the SDLC. The best approach is to make sure pen testing services is part of the early stages of development, saving time and money remediating further down the line, reducing developers getting blocked and frustrated by security. Key to this success is forming a close relationship with a trusted penetration testing provider, rather than splitting tests across multiple providers on an ‘as and when’ basis or to the cheapest quote for that particular test.
Building penetration testing into a unified security solution
No security service exists in isolation and there are synergistic services that can accompany penetration testing to have a transformational effect on enterprise security. Linking penetration test results to an asset management system transforms pen test results into threat intelligence, giving enterprises extra security insight and making remediation quicker and more effective. Penetration test results should be considered part of an organisation’s whole threat profile, with results analysed in the same place as analyst events, VA scan results and compliance tracking. This ‘single pane of glass’ approach gives an aerial view of an organisation’s security posture, making it easier and more cost-effective to prioritise and combat security threats.
Summary: a smarter way to manage your security scanning strategy
Even when the primary business driver for booking a test is a box-tick from a compliance or supply chain requirement, it’s vital for an organisation’s security teams that a good testing outcome is still achieved. As a result, enterprises frequently select a big-name vendor in the hope of securing a high-quality test, but what results instead is a cookie-cutter service that fails to truly meet business objectives. Preferably, enterprises should seek reputable suppliers who can show both technical and strategic understanding, as well as demonstrate an innovative approach. This will greatly improve the value penetration testing gives, and increase your organisation’s security in real terms.
Get maximum value from your pen test
Get a value-driven penetration test from Bulletproof. Prevent data breaches, meet compliance requirements and inspire confidence in your customers.
Learn moreRelated resources
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.