How often should you conduct penetration testing?

How often should you conduct penetration testing?

Summary: In a rapidly shifting attack landscape against the backdrop of a hackers' black market worth billions, if you wait to pentest -- you lose.

SHARE:
TOPICS: Security, Malware
5
how-often-should-you-conduct-penetration-testing
Too many only do a pentest after they've been scorched.

In a rapidly shifting attack landscape against the backdrop of a hackers' black market worth billions, if you wait to pentest -- you lose. 

Still, unless required by law, too many companies and organizations only do a penetration test when they have to.

Often, it's because they need to comply with regulations or they've been told they need to prove they're secure, in which case it's a checklist security audit by the numbers.

Most unfortunately, too many only do a penetration test after they've been scorched: When hackers have successfully gotten in, executed a payload, and made off with valuable IP, records, customer PII, and cost the company more than it probably knows or can calculate.

Modern penetration testing is more than a scan, and definitely more than a tick-the-boxes compliance requirement.

They're picking up the pieces, fending off a PR nightmare as well as a roasting by shareholders, and trying to figure out what happened.

Former Black Hat General Manager Trey Ford tells us, "Regulations like PCI require a minimum of once a year, or after any major change – this would apply to infrastructure or code."

"I think the first part of this discussion falls to ‘what exactly is a penetration test’?" Ford elaborated, "Depending on who you talk to, this may include web application security testing, network scanning and exploitation, social engineering and phishing, wireless testing and more."

Problem: Attacks evolve faster than requirements

Just over five years ago, penetration testing -- "pentesting" -- was the subject of articles in IT security journalism posed as a debate whether or not a pentest was even worth doing. A lot has changed in a short amount of time.

Pentesting has mutated rapidly to match a cyber black market packed with highly skilled criminals, government resources, and attack agility that can far outpace even the most moneyed, sophisticated enterprise defenses.

Modern penetration testing is more than a scan, and definitely more than a tick-the-boxes compliance requirement.

While some of it is automated, pentesting like you mean it demands hiring a team of the best attackers your money and research can get, and asking them to not just attack, but also to exploit your defenses. Mr. Ford explained, "Organizations seek to understand a malicious view of their organization, their business processes, and the data they have custodianship of, what key systems and infrastructure, may be most exposed to attack, or damaging to their interests."

Pentesting is today's growth sector, easily seen in security company Rapid7's rapid expansion. Regarded as a fierce leader in security analytics software and services, Rapid7 has a sprawling pentesting suite that includes famous Metasploit ("The attacker's playbook") and its huge, active 200,000+ member community.

Rapid7 just saw its 21st quarter of record-breaking revenue; the company has 13 offices around the globe and boasts that "27 percent of Fortune 1000 companies now use Rapid7’s products to assess network vulnerabilities and mitigate information security risks."

Its clients span global sectors including banking and healthcare, and include Diebold, Deutsche Telekom, Panasonic, Rodale, Revlon, Trader Joe's, Virgin Atlantic, and many others.

Metasploit's engineer and Technical Framework Lead Tod Beardsley sees an average of 1.2 exploits added per day to Metasploit's attacker playground.

Beardsley told ZDNet, "Everyone benefits from regular pentesting. Some organizations have to. Everyone else merely should."

He added wryly, "When shouldn't a company pentest?"

Problem: A "one size fits all" pentest strategy

Beardsley explained that the question of "how often" is complicated by the fact that some businesses need pentesters more than others. He said, "Some industries – for example the financial sector – are more regulated than others, and have to meet pentesting requirements."

However, I would say that any organization that handles data that they care to keep confidential has some level of basic responsibility to ensure their network configuration and defenses are adequate at that mission.

In addition, if a company doesn't want to be an unwitting host for malware distribution, it would behoove that company to make sure that it's not susceptible to external control of their data and bandwidth resources.

There's a joke being passed around some of the darker security communities in the ramping-up to this week's biggest American security and hacking conferences, Black Hat USA and DEFCON. It goes like this:

According to Rapid7's research, spear phishing is a factor in over 9 out of 10 both targeted and state-sponsored attacks.

It's not just management's load to carry; Rapid7 told ZDNet that security is now a matter of individual employee education and duty. "Similarly, the IT organization of a company has some responsibility to its employees' Internet safety and security; many, many people use company resources for normal, personal use, and if the employees are falling victim to phishing schemes, they're going to represent risk."

"There are a thousand touch points between the "outside" network and the "internal" network," explained Mr. Beardsley. "As modern work life moves more and more into the home office (which is really just a laptop on a kitchen table, from which I'm writing these responses), there are risks to an organization that they may never even consider, much less control."

He elaborated,

Take home routers, for example. There has been a wave of news about vulnerabilities and even straight backdoors into these ubiquitous devices, which not only bring the Internet into our homes, but keep employees tethered to their work.

If a home router used by the company's CFO gets popped by an adversary, it's not difficult to imagine that adversary using this control to completely subvert the CFO's home systems.

Many VPNs don't do a whole lot of good against a compromised endpoint, after all -- they're designed to secure traffic as it traverses a network.

The first thing a company should do, he told ZDNet, is "lock down its DNS service, and companies should demand routine and regular testing of their DNS change procedures."

"If you control a company's DNS, you control virtually all of their e-mail, and that's where the routine, day-to-day secrets live."

After that, Beardsley continued, basic "perimeter" pentesting is in order. "Identifying the assets a company has that are Internet facing (web, e-mail, VPN, file sharing, etc), and rigorously and routinely testing them for breachability is important, since the most obvious attacks are going to occur there."

Anyone keeping up with today's headlines can see that once a year isn't gonna cut it.

Divulging a critical piece of today's most effective attack strategies, Rapid7's Metasploit Lead told us, "Internal penetration testing is getting even more important, given the pervasiveness of smart phones and other devices in the workplace that the employer doesn't control."

"These devices are effectively dual-homed, spending a lot of time out on their ISP's network, and a lot of time on the company's internal networks" he said, "making for attractive targets for intruders."

That's where you need to worry about your employee's Android device carrying malware into your office network, and why everyone in your office needs to know about how exploitable those little keychain flash drives really are -- before they plug in.

You might think that Rapid7's Beardsley wants organizations pentesting as often as a chiropractor wants return visits (as in, for the money, not your health), yet it's hard to dismiss not just his position of expertise, but the attack landscape logic revealed in his reasoning.

"Most organizations take their guidance from the regulations that they're subject to, for example in the financial or retail sectors." Referencing a sobering truth, he tells us "This often translates to a once-a-year commitment."

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

Beardsley cautions, "If an attacker succeeds at uncovering a novel ingress technique that the pentester didn't consider, the good guys lose."

Anyone keeping up with today's headlines can see that once a year isn't gonna cut it.

However, he said, "companies with more sophisticated security programs have rolling penetration testing, with several different kinds of engagements throughout the year. This lets them focus on different problem areas and reach solutions much faster than an annual regulatory requirement would find."

Beardsley explained that it's difficult to categorize how important particular pentest strategies are, and that's why -- yes -- your organization should pentest more often than required (or even desired). You need to go beyond the requirements for your defense.

It's clear that there is no one-size-fits-all answer to the question of how often you should pentest.

And if anyone offers you a simple answer or a Band-Aid prescription without doing a real needs and risk assessment that includes soft targets specific to your organization as well as up-to-the-minute threat trends...

Wish 'em luck, because they're gonna need it.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • How often should you conduct penetration testing?

    As often as she will let you!
    The Central Scrutinizer
    • where's my donut?

      c'mon, Joe, I been waitin since '79!
      pgit
  • Code/data separation

    Can we go back to basics and separate executable code from data ? If data, be it a graphic, text document , spreadsheet or whatever, was purely data, and resided in data-space, would that protect the computers from email, browser, or download malware ? Embedded code, such as Java could be prohibited from accessing anything beyond temporary storage and display. That still doesn't protect against back-door exploits, but again, modifying or saving anything except data (not system data though. i.e. config files) except from a system console, could. If remote service is required, someone on-site should need to verify those sort of changes
    ShaneK
    • The problem is that there is no difference between code and data

      Is HTML code or data?

      To the web archive it is just data. To the browser it contains code to be interpreted. Sometimes it is code to be interpreted by the server (such as PHP), other times it is just static data.

      The rest is up to the capability of the operating system as to how well it can compartmentalize each service/application.
      jessepollard
  • A man at Silicon Graphics

    wrote a program called SATAN, which attacks computer systems with the latest techniques. It was misunderstood, but it would have been very useful. Companies could attack their own systems with the latest hacking tools. If they got in, there is a problem. Point and click, simple to run. This is the only way to be SURE you have security. Everything else makes you a "Target".
    Tony Burzio