How Penetration Testing Improves Security – Part 2
If you could stop cyber threat actors before they exploit security vulnerabilities in your environment, would you? Of course. However, you must learn where the gaps are before you can close them.
In Part 1 of this series, we looked at the value of penetration testing, the types of things it often uncovers, and obstacles governments and companies face when deciding how to approach pen testing.
Now, in Part 2, we’ll examine best practices for effective testing, look at automated vs. human-driven tests, and discuss penetration testing services.
5 Best Practices for Penetration Testing
How do you optimize penetration testing capabilities? Here are five things I recommend:
1. Have a plan. It is crucial to define the scope, goals, and limitations of your penetration testing. Do not try to “boil the ocean” in a single pen test. Your plan should include the frequency of testing, and it is good practice to test systems at least once per year — or at times of technology inserts or updates. Your environment will change over time, so conducting periodic checks will help your organization ensure those changes don’t create another “hole in the wall.”
2. Test all parts of your environment. There are many “flavors” of penetration tests, ranging from internal to external, web, mobile app, gateway, firewall, and so on. Test them all based on the integration they have with your infrastructure, and potential impact to the business if they were compromised.
3. Maximize penetration testing results. After the test, ensure you understand the findings, and take the appropriate action to remediate whatever you discover. All too often, the report is treated as another document that sits on a shelf, providing no value to the organization.
In fact, I was on a call recently where we discussed not only the current findings, but also looked back to previous findings. These previous findings were not addressed so, guess what? The same gaps were found in the new tests!
On the flip side, ensure your team is praised when minimal or no gaps are found. In cybersecurity, we often focus only on the “bad.” I met with a customer a short while ago and they were surprised to learn that a test we did for them revealed no gaps. They were pleasantly surprised, especially since their management was on the call, as well. Remember, pen testing is not a failure if it doesn’t find issues. That means that an organization’s team is doing a fantastic job keeping up with good security practices, and they should be recognized for that.
4. Bring in professional pen testers from the outside. Ensure you hire skilled testers from a reputable firm, and leverage different penetration testing companies every so often. Government agencies often use system integrators, or a cloud provider, to “manage” the agency’s environment. These companies, however good they may be, have a vested interest in making themselves look good. However, hiring different companies to “peek under the covers” can be a very effective way to provide a fresh perspective, while ensuring that you are truly protected. When it comes to security of your systems and data, hiring an independent tester is a tried-and-true method.
5. Couple penetration tests with other, more exhaustive, cybersecurity services. A penetration test will find the holes in your security perimeter but, other efforts, such as a breach simulation or purple team testing, will go deeper and wider — to find not only the holes, but also pathways leading to the valuable information of an organization. This typically includes data that is financial, relates to personnel, is proprietary, or is classified.
Consider compromise assessments that can rapidly determine if an organization is currently compromised or uncover signs of past compromise or security incidents. This assists organizations in identifying environmental risks, current or previous security incidents, and potential threat actor activity. It's a system-by-system analysis that combs through environments and X-rays each system for any evidence of compromise.
One other undertaking is worth considering: a dark web search service. This can include point-in-time deep-dive hunting and analysis into historical and current intelligence found on the deep and dark web, and/or continuously monitoring platforms for real-time posts to the dark web.
Penetration Testing for Government Agencies
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) continuously adds security vulnerabilities to its “known and exploited” catalog to assist both private and public sector organizations with their cybersecurity efforts and programs. The list is a fantastic resource, but defending against the threats it tracks is the responsibility of each individual agency. Many are hampered by limited resources and a widening cyber-skills gap, leaving critical public-sector data and assets vulnerable to attack.
Why Choose BlackBerry?
BlackBerry has spent decades protecting many of the most critical systems, networks, and applications in the world — including those belonging to numerous governments across the globe. The BlackBerry penetration testing team can do everything from regulatory penetration testing to custom-tailored adversary simulation. BlackBerry® Security Services are scalable, working with organizations ranging in size from 50 to more than 400,000 endpoints. These services can follow automated or manual approaches, depending on the needs of the client organization, focusing on identifying true risks.
Having worked with government clients at the highest levels, BlackBerry experts understand additional needs based on regulations or tight deadlines. The BlackBerry Security Services team will dedicate both an engagement manager and a technical lead to each project, building-in multiple levels of oversight and providing multiple escalation paths so clients get clarification at every level of the organization.
This dedication earned BlackBerry first place in the 2021 SOC X World Championship, an annual competition at which 50 global SOC (security operations center) and incident response (IR) teams compete to pit their capabilities against real attacks. The BlackBerry team also won first and third place in the 2021 OpenSOC Network Defense Range (NDR) at DEF CON 29.
When employing BlackBerry Security Services, networks are assessed for the full spectrum of cybersecurity challenges to identify vulnerabilities introduced by missing patches, poor setups, remote access issues, and other problems. Clients are provided with a detailed list of recommendations, along with risk rankings. Most recommendations are product-agnostic and vendor-independent, designed to fix identified problems as efficiently as possible. BlackBerry experts can then assist with the implementation of changes, to construct a strong and effective security posture with prevention-first methodologies.
As a trusted partner to organizations and agencies around the world, BlackBerry offers a portfolio of products and services designed to offer our customers peace-of-mind as we prevent cyber events, report on detections and intrusions, and respond to inevitable breaches in your environment.
I hope this blog series helps you understand how to approach penetration testing. I’ve seen firsthand that the benefits of a regular pen testing program can make a significant difference.