Sharpen penetration tests to foil cybercrime

Penetration testing can point up flaws that cybercriminals exploit. But effective tests must go beyond short-term analysis and remediation, says Alan Calder.

The UK National Security Strategy identifies cyberattack as a Tier 1 threat — the highest level of risk, alongside international terrorism, international military crises and major accidents or natural hazards. But I think cyberattacks stand alone.

After all, international terrorists have an identifiable cyber capability, and any military crisis is likely to carry a significant element of cyberthreat. Since the information we need to respond to almost any major national incident, such as a flu pandemic, is stored electronically, the risk of cyberattack permeates that entire Tier 1 list.

Penetration testing is an important weapon in the fight against cyberattack — by examining and testing the technical security measures an organisation has in place to protect its networks and applications.

Information security priorities

Any company that takes information security seriously also needs to be taking penetration testing seriously. I might add that any company that does not take information security seriously shouldn't be surprised when it is attacked by cybercriminals.

Any company that takes information security seriously also needs to be taking penetration testing seriously.

Cybercriminals target IP addresses, website applications, firewalls, network devices, hardware and software. All internet-facing networks and resources are subject to automated, malicious probing and, when a vulnerability is detected, the exploitation of that vulnerability is also usually automatic. No organisation is immune.

A security breach of this nature, and the theft of data — personal or commercially confidential — or other business interruption, exposes an organisation to commercial and compliance penalties that can be significant.

Effective penetration testing involves the simulation of a malicious IT attack, using a carefully planned combination of methods and tools to mimic the range of possible attacks. Instead of completing the attack, penetration testers will document the vulnerability and recommend steps to reduce the risk. The consequent findings form the basis of a remediation programme.

Penalties for security breaches

In a world where attacks on networks and applications are growing in number at an exponential rate, effective pen testing is the only way of establishing true security. Quite rightly, the penalties incurred by organisations failing to defend against such attacks are becoming ever steeper.

As more and more organisations are recognising the importance of compliance with the international information security standard ISO/IEC 27001, so it is that more and more organisations are recognising the need for pen testing to be part of their current — or indeed new — security plan, as well as longer term security maintenance.

ISO27001 requires an organisation to develop an information security management system, or ISMS, that takes into account...

..."business and legal or regulatory requirements and contractual security obligations". Pen testing can — and should — be a part of that ISMS.

Compliance requirements also increasingly recognise that penetration testing should form part of ongoing security activity in all organisations. UK Department for Work and Pensions (DWP) contracts, for instance, look for suppliers to achieve ISO27001 certification, as well as to carry out an initial penetration test, and then to maintain an acceptable level of technical information security.

Long-term security testing

The goal, therefore, is for penetration testing to go beyond mere short-term analysis and remediation. Organisations must establish a long-term, comprehensive security testing programme, ensuring their information assets continue to be protected from today's evolving information security threats.

Penetration testing can take numerous forms, including:

• External testing, to assess the effectiveness of internet-facing security controls.
• Internal testing, to assess the effectiveness of system-level security controls, including assessing compliance with ISO27001 technical security requirements.
• Website security testing, to assess the vulnerability of websites — in areas including e-commerce — to attacks and disruption.
• Annual scanning, for a regular review of the strength of an organisation's IT technical security controls in the light of the latest threats and vulnerabilities. This is a vital process given how rapidly these factors change and develop.

Third-party testers

Given the sensitivities involved in penetration testing, you must exercise caution when selecting your third-party provider. Only use trained, certified and experienced security testers who have been screened through extensive background checks and regular ongoing internal checks. These processes ensure all testing is carried out by ethical and client-focused experts.

First, pen testers need to establish a basic understanding of the organisation's current security standards, as well as the overall business and security objectives. The testing itself should therefore be customised according to individual companies' needs. Ultimately, the goal is to produce results on which a business can build and move forward.

The security testing service should be delivered in line with the best practice Open Source Security Testing Methodology Manual (OSSTTM) for performing security tests and metrics.

The OSSTTM methodology has been developed and published by the Institute for Security and Open Methodologies (Isecom). The objective is to achieve accurate reports and metrics by ensuring security testing is carried out through a structured, effective and technically appropriate process.

Cybercriminals are constantly seeking new vulnerabilities. We need to constantly seek new answers. Penetration testing is one of the key weapons in our armoury.

Alan Calder is chief executive of security and compliance organisation IT Governance.