6 Reasons Businesses and Governments Fail to Run Penetration Testing

Poking and prodding your own network defenses helps reveal security gaps, so you can close them — before cyber threat actors discover and exploit them. This is the primary benefit of penetration testing and why it is a key step that a growing number of companies and government organizations now take to mitigate cyber risk.

This cybersecurity process is so important that the U.S. Congress recently introduced H.R.8403 — the Proactive Cyber Initiatives Act of 2022 — to mandate penetration testing for moderate to high-risk government systems, and to require federal agencies to report on proactive cybersecurity methods.

The end-goal of penetration testing (aka, “pen” testing) is to develop a more proactive approach, allowing a “red team” to find gaps before an attacker does. However, there are multiple questions to ask as you approach these engagements.

• Is an automated test sufficient?

• Should the test extend to mobile and cloud?

• What are the benefits of running full-blown attacker simulation?

We’ll examine these important considerations in detail during this two-part blog series.

What Kinds of Security Gaps Does Penetration Testing Uncover?

Some gaps uncovered during penetration tests may be both simple and crucial — such as finding software that has been “end-of-lifed” and is no longer supported by the vendor. Working with our clients, we often discover software that is vulnerable to attacks happening in the wild because it is missing the latest security patch or hotfix.

This type of security oversight is regularly uncovered in a pen test, and it represents a critical finding since it presents hackers with a wider range of potential attack vectors. Think of it like this: Your front door might have a deadbolt, but if that deadbolt is rusty or the faceplate is missing, a thief will have a much easier time getting into your home.

Other findings discovered during a penetration test vary in severity. However, each one potentially gives an attacker all they need — which is a single weakness to exploit.

For example:

• Does your webpage limit the rate of login attempts? If not, hackers can pummel your site as many times as they wish to find the one security gap they need.

• Is Webview Debugging enabled?  If so, this could allow a threat actor to obtain sensitive information or take over an affected user’s settings.

• Does the application logout invalidate/revoke the session token?  If not, a hacker could re-establish the session when the authorized user walks away from the computer after logging off.

These things are not an exhaustive list but rather form the start of what penetration testing can uncover in your environment to help you secure your government agency or organization.

How Penetration Testing Reduces Cyber Risk

Proactive penetration testing provides the strongest approach to maintaining a secure environment. While this can start at the software layer — say an AI-driven capability to catch malicious files before they execute — it also should include the appropriate people and processes to test, and who is in the best position to remediate any gaps they find in the security posture.

Regular testing will allow your organization to stay ahead of threats. It’s almost guaranteed that once you correct the gaps from one cycle of penetration testing, you’ll find other — and often different — vulnerabilities. The more you test, the more opportunity you’ll have to find and fix those gaps that will otherwise haunt you, should an attacker find them before you do.

Many organizations find that penetration testing is a great place to start and, as the tests become an integrated part of their security program, they often advance to breach simulations. While penetration tests find gaps in the “walls” of your environment, breach simulations go deeper to identify paths that a hacker might use once inside your defenses, to ultimately get to corporate or government agency data. After all, threat actors really want the same thing you do: your data.

Failure to properly pen test your environment leaves you more vulnerable than you need to be, and it can also impact your insurability and cyber insurance coverage. BlackBerry research recently discovered that more than one-third of organizations are denied cyber insurance because they lack security controls that insurers require, like endpoint detection and response (EDR). While EDR solutions such as CylanceOPTICS® from BlackBerry can be critical in the event of an attack, and endpoint protection platform (EPP) products such as CylancePROTECT® can do a great deal to prevent attacks from occurring in the first place, they are not substitutes for a rigorous pen testing program.

Because of mounting ransomware coverage losses, cyber insurance companies are taking a more stringent look at payouts, and adding exclusions to their policies. Some of these exclusions are based on who the threat actor is, and on the actions a company has taken to prepare itself to defend, identify, and contain cyberattacks. Penetration testing, breach simulation, “purple team” testing, tabletop exercises, and periodic assessments of a company’s security program, represent a few of the ways that companies can ensure they get the highest insurance payout if they are attacked, and at the same time, minimize their chances of being attacked successfully in the first place.

Six Reasons Organizations Fail to Run Penetration Testing

Organizations face many challenges that sometimes make penetration testing difficult to execute. Here are six common ones:

1. Lack of resources — This is a phenomenon that affects all facets of IT and cybersecurity. In-house staff has a lot on its plate and may not have the bandwidth, or breadth of experience necessary, to execute pen tests. Leveraging strong industry partners is key to overcoming this challenge.
   
   
2. Can’t define the scope — As noted previously, there are many variations on penetration testing, and it’s important to have an overall strategy and tactical plan for how to test and assess practices, so that the task does not become overwhelming. “Eating the elephant one bite at a time” may be slow, but it is a time-tested strategy for achieving success.
   
   
3. Fear of slowing down software development cycles — We often find issues with the versions of code that are used in applications, or how an application treats a “closed” session. Testing as you build, at appropriate development points, can greatly reduce the gaps that might be placed, unknowingly, into your environment. As they say, “An ounce of prevention is worth a pound of cure,” and a similar approach can be applied here.
   
   
4. Concern it’s a waste of time — With so many threat actors and vulnerabilities it sometimes feels like we can’t keep up or change things. Threat actors will always target data, in order to exploit an organization’s intellectual property or other valuable digital assets. Proactively closing as many gaps as possible reduces the risk of a successful attack. Leveraging a trusted partner that “lives and breathes” threats and the prevention of threats can greatly ease the load on an organization’s resources, and help you benefit from the most up-to-date threat intelligence and defensive techniques.
   
   
5. Overconfidence — “We’re in the cloud so, we’re safe.” Hmm, you might want to think this through. Cloud providers and solutions are just as susceptible to breaches as on-prem environments. A cloud provider will do their best, and may have greater resources at their disposal than you do, but YOU are ultimately responsible for the security of your data. That’s why you have backups or replicate your data. And that is also why, depending on your cloud provider and contract, you should still conduct your own penetration testing.
   
   
6. Regulation confusion — “There are so many regulations!” They certainly are numerous. From White House memoranda to CISA polices, to NIST, to state and local requirements, there is no shortage of regulations to observe — including requirements to conduct penetration tests, and guidelines for how those tests are to be conducted. An organization needs to interpret and integrate those policies and guidelines into their security program. And industry partners should be able to assist you in understanding and applying requirements and best practices to penetration testing.

In summary, penetration testing greatly improves your security posture by revealing security gaps you can close — before attackers find and exploit them. It is one of the best ways to mitigate the risk of a successful cyberattack against your organization.

In Part 2 of our series, we’ll look at how to approach your red team efforts. This includes looking at what you should test, and how you should test, including understanding the differences between automated pen-testing and human-driven tests.

Related Reading

• BlackBerry UEM Achieves Additional DoD Security Compliance Award for U.S. Army Deployment
• IT Leaders Predict ChatGPT-Enabled Cyberattacks Are Imminent
  
• Accountability in Cybersecurity: Save Money, Reduce Risk
• The State of Cyber Insurance in 2022 [Research]