When your pen test really isn’t a pen test

Sponsored By: Optiv

By Cheryl McGrath
Vice President and Country General Manager – Canada
Optiv Security

Sometimes words are used in such a broad context that they lose their original meaning. For example, “luxury” used to mean “Really expensive and nice.” But today you can buy “luxury” brands in clothing, cars and everything else for just a few dollars more than non-luxury brands. And to get those price points down, luxury brands often cut corners that make the quality of their products no better (or maybe even worse) than the non-luxury brands. “Luxury” is no longer about, well, luxury. It’s about the perception of luxury.

A word in cybersecurity has suffered the same fate … well, actually, it’s two words: penetration test (or for those of us in the business, “pen test”). The original point of pen tests, as the name would imply, is to have friendly (also called white hat )hackers attempt to penetrate your cyber defenses so you can understand where your vulnerabilities lie and take corrective action. Today, however, pen tests are often used (or misused) in a variety of ways. Sometimes they are used only to test network defenses, even though application vulnerabilities are a major source of risk and breaches. Other times, they are limited in their attack vectors, and will omit basic approaches like social engineering, which is a grave oversight, considering that phishing attacks remain the most common root cause of data compromise, according to Optiv’s 2018 Cyber Threat Intelligence Estimate. In the worst examples of pen test misuse, they can be rigged to validate the effectiveness of specific security programs.

While most pen test services on the market today look similar at face value, the methodologies and execution vary widely. This is made more complex when you overlay the wide variety of frameworks, standards, controls, and threat models that may have conflicting objectives as well. For example, the Payment Card Industry Data Security Standard (PCI DSS) includes guidelines on conducting pen tests, but those guidelines tend to be open to interpretation and they are limited in scope. Pen tests should be used to understand security vulnerabilities across the enterprise, not just to comply with PCI DSS.

Skills shortage causes shortcuts

There is a well-publicized skills shortage in the cybersecurity industry. Because of this, many services firms rely on a “vulnerability scan and validate” methodology, in which network and application vulnerability scanners are used to identify exploitable entry points. Consultants then run canned exploit scripts against the vulnerabilities identified in the scan, and if the scripts work, they declare victory and move on. If the scripts don’t work, they assume a false positive from the scanner.

Unfortunately, this approach does not take into account a variety of factors, such as the version of the software being attacked, so a hacker with an exploit tuned to the software version may be successful where the pen testers were not. Suddenly that false positive is actually a hidden vulnerability.

Even in cases where vulnerabilities are verified by the pen testers, they often lack the skills necessary to understand the severity of the vulnerability and will communicate a falsely elevated system-outage risk associated with extending the test to the post-exploitation phase. This typically causes the client to wrap up the test, rather than risk a system outage due to the pen tester’s exploitation activities. As a result, the client effectively receives glorified scanner results as the deliverable from the pen test, with no understanding of post-exploit vulnerabilities, which are critical in this day and age where the typical hacker strategy is to gain entry into a network, and then move laterally and vertically through networks in search of their target data.

Prodigious skills can lead to trouble

Ironically, highly skilled pen testers can also pose issues for clients, because they want to prove their expertise by showing they can hack into any system, at any time. They often have the minds of talented artists – and like talented artists, their work is not easily repeated. The fact that they could hack into a system does not mean that real-world adversaries would be able to do the same.

This caliber of pen tester often focuses on obscure attacks that will penetrate systems, at the expense of focusing on the identification of simpler issues, such as whether or not the manufacturer’s default credentials are in effect (if they are, gaining access to systems becomes trivial for hackers). The pen tester’s focus on artistic brilliance, in this case, winds up preventing the client from understanding their real-world risks and vulnerabilities.

Pen tests that work

When engaging an organization to perform pen tests, it is important to keep the focus on real-world scenarios. This means understanding your business and your risk profile, so you can identify those systems and network segments that hackers are most likely to attack. Some key considerations for a good pen test include the following:

  1. Understand the Methodology. Having a firm methodology in place can protect against both over-skilled and under-skilled pen testers. If they follow a valid methodology, then the results will be consistent and meaningful, regardless of skill level.
  2. Understand your Risk Profile. If you understand your business, and where your most valuable assets, also called your companies crown jewel data , are located, then it is possible to “put yourself in the shoes of your enemy” and understand how you are most likely to be attacked.
  3. Understand Your Enemy. Today’s cyber criminals are adept at moving laterally and vertically across networks in search of their pot of gold: your data. Most pen testers stop at initial system compromise or administrator access and do not explore post-exploitation vulnerabilities, which is what leads to data breaches. Closing the initial point of entry does not mitigate the risk of post-exploitation activities; therefore, pen tests should include a thorough evaluation of post-exploitation vulnerabilities.
  4. Understand Your Environment. Virtually all enterprise computing environments are in a state of constant change, with new updates, applications and systems coming online every day. Because of this, pen test results have a limited shelf life, since innumerable new vulnerabilities will undoubtedly be introduced by this constant state of change. This means pen tests cannot be a “one and done” exercise. Rather, they should be a continuous, so security pros can understand and mitigate new vulnerabilities as they arise.

Paying for the perception of luxury is a harmless indulgence. Paying for the perception of a pen test, however, can put your company in the headlines—and not in the way you want. Following these four sensible steps will help to ensure that your pen test really is a pen test.


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Sponsored By: Optiv