How often should you conduct penetration testing?

In a rapidly shifting attack landscape against the backdrop of a hackers' black market worth billions, if you wait to pentest -- you lose.
Written by Violet Blue, Contributor
Too many only do a pentest after they've been scorched.

In a rapidly shifting attack landscape against the backdrop of a hackers' black market worth billions, if you wait to pentest -- you lose. 

Still, unless required by law, too many companies and organizations only do a penetration test when they have to.

Often, it's because they need to comply with regulations or they've been told they need to prove they're secure, in which case it's a checklist security audit by the numbers.

Most unfortunately, too many only do a penetration test after they've been scorched: When hackers have successfully gotten in, executed a payload, and made off with valuable IP, records, customer PII, and cost the company more than it probably knows or can calculate.

Modern penetration testing is more than a scan, and definitely more than a tick-the-boxes compliance requirement.

They're picking up the pieces, fending off a PR nightmare as well as a roasting by shareholders, and trying to figure out what happened.

Former Black Hat General Manager Trey Ford tells us, "Regulations like PCI require a minimum of once a year, or after any major change – this would apply to infrastructure or code."

"I think the first part of this discussion falls to ‘what exactly is a penetration test’?" Ford elaborated, "Depending on who you talk to, this may include web application security testing, network scanning and exploitation, social engineering and phishing, wireless testing and more."

Problem: Attacks evolve faster than requirements

Just over five years ago, penetration testing -- "pentesting" -- was the subject of articles in IT security journalism posed as a debate whether or not a pentest was even worth doing. A lot has changed in a short amount of time.

Pentesting has mutated rapidly to match a cyber black market packed with highly skilled criminals, government resources, and attack agility that can far outpace even the most moneyed, sophisticated enterprise defenses.

Modern penetration testing is more than a scan, and definitely more than a tick-the-boxes compliance requirement.

While some of it is automated, pentesting like you mean it demands hiring a team of the best attackers your money and research can get, and asking them to not just attack, but also to exploit your defenses. Mr. Ford explained, "Organizations seek to understand a malicious view of their organization, their business processes, and the data they have custodianship of, what key systems and infrastructure, may be most exposed to attack, or damaging to their interests."

Pentesting is today's growth sector, easily seen in security company Rapid7's rapid expansion. Regarded as a fierce leader in security analytics software and services, Rapid7 has a sprawling pentesting suite that includes famous Metasploit ("The attacker's playbook") and its huge, active 200,000+ member community.

Rapid7 just saw its 21st quarter of record-breaking revenue; the company has 13 offices around the globe and boasts that "27 percent of Fortune 1000 companies now use Rapid7’s products to assess network vulnerabilities and mitigate information security risks."

Its clients span global sectors including banking and healthcare, and include Diebold, Deutsche Telekom, Panasonic, Rodale, Revlon, Trader Joe's, Virgin Atlantic, and many others.

Metasploit's engineer and Technical Framework Lead Tod Beardsley sees an average of 1.2 exploits added per day to Metasploit's attacker playground.

Beardsley told ZDNet, "Everyone benefits from regular pentesting. Some organizations have to. Everyone else merely should."

He added wryly, "When shouldn't a company pentest?"

Problem: A "one size fits all" pentest strategy

Beardsley explained that the question of "how often" is complicated by the fact that some businesses need pentesters more than others. He said, "Some industries – for example the financial sector – are more regulated than others, and have to meet pentesting requirements."

However, I would say that any organization that handles data that they care to keep confidential has some level of basic responsibility to ensure their network configuration and defenses are adequate at that mission.

In addition, if a company doesn't want to be an unwitting host for malware distribution, it would behoove that company to make sure that it's not susceptible to external control of their data and bandwidth resources.

There's a joke being passed around some of the darker security communities in the ramping-up to this week's biggest American security and hacking conferences, Black Hat USA and DEFCON. It goes like this:

According to Rapid7's research, spear phishing is a factor in over 9 out of 10 both targeted and state-sponsored attacks.

It's not just management's load to carry; Rapid7 told ZDNet that security is now a matter of individual employee education and duty. "Similarly, the IT organization of a company has some responsibility to its employees' Internet safety and security; many, many people use company resources for normal, personal use, and if the employees are falling victim to phishing schemes, they're going to represent risk."

"There are a thousand touch points between the "outside" network and the "internal" network," explained Mr. Beardsley. "As modern work life moves more and more into the home office (which is really just a laptop on a kitchen table, from which I'm writing these responses), there are risks to an organization that they may never even consider, much less control."

He elaborated,

Take home routers, for example. There has been a wave of news about vulnerabilities and even straight backdoors into these ubiquitous devices, which not only bring the Internet into our homes, but keep employees tethered to their work.

If a home router used by the company's CFO gets popped by an adversary, it's not difficult to imagine that adversary using this control to completely subvert the CFO's home systems.

Many VPNs don't do a whole lot of good against a compromised endpoint, after all -- they're designed to secure traffic as it traverses a network.

The first thing a company should do, he told ZDNet, is "lock down its DNS service, and companies should demand routine and regular testing of their DNS change procedures."

"If you control a company's DNS, you control virtually all of their e-mail, and that's where the routine, day-to-day secrets live."

After that, Beardsley continued, basic "perimeter" pentesting is in order. "Identifying the assets a company has that are Internet facing (web, e-mail, VPN, file sharing, etc), and rigorously and routinely testing them for breachability is important, since the most obvious attacks are going to occur there."

Anyone keeping up with today's headlines can see that once a year isn't gonna cut it.

Divulging a critical piece of today's most effective attack strategies, Rapid7's Metasploit Lead told us, "Internal penetration testing is getting even more important, given the pervasiveness of smart phones and other devices in the workplace that the employer doesn't control."

"These devices are effectively dual-homed, spending a lot of time out on their ISP's network, and a lot of time on the company's internal networks" he said, "making for attractive targets for intruders."

That's where you need to worry about your employee's Android device carrying malware into your office network, and why everyone in your office needs to know about how exploitable those little keychain flash drives really are -- before they plug in.

You might think that Rapid7's Beardsley wants organizations pentesting as often as a chiropractor wants return visits (as in, for the money, not your health), yet it's hard to dismiss not just his position of expertise, but the attack landscape logic revealed in his reasoning.

"Most organizations take their guidance from the regulations that they're subject to, for example in the financial or retail sectors." Referencing a sobering truth, he tells us "This often translates to a once-a-year commitment."

Beardsley cautions, "If an attacker succeeds at uncovering a novel ingress technique that the pentester didn't consider, the good guys lose."

Anyone keeping up with today's headlines can see that once a year isn't gonna cut it.

However, he said, "companies with more sophisticated security programs have rolling penetration testing, with several different kinds of engagements throughout the year. This lets them focus on different problem areas and reach solutions much faster than an annual regulatory requirement would find."

Beardsley explained that it's difficult to categorize how important particular pentest strategies are, and that's why -- yes -- your organization should pentest more often than required (or even desired). You need to go beyond the requirements for your defense.

It's clear that there is no one-size-fits-all answer to the question of how often you should pentest.

And if anyone offers you a simple answer or a Band-Aid prescription without doing a real needs and risk assessment that includes soft targets specific to your organization as well as up-to-the-minute threat trends...

Wish 'em luck, because they're gonna need it.

Editorial standards