May 10, 2020
To Test or Not to Test—That is the Question

Advanced testing services (ATS) can mean a lot of things to a lot of people, but essentially, ATS helps companies identify sophisticated, advanced threats against their environments so they can see vulnerabilities before a compromising cyber event can occur. ATS often involves penetration testing, which is essentially testing that simulates—in a very real way—the effect that a cyberthreat can have on a company’s environment.

Application testing is also an important part of advanced testing services. According to a recent Gartner report, mobile apps are projected to have the most impact on business success.1 Not only are companies relying on traditional applications to drive digital transformation, but they are also introducing newer multi-experience platforms such as immersive devices, augmented reality and wearables to grow business.1 All of these new technologies create attack points where bad actors can potentially break in, steal data and wreak havoc on reputations and brands.

Key drivers—diligence and compliance

There are many reasons why you may be considering advanced testing for your organization. Two drivers that rise to the top are due diligence and compliance. As a conscientious CISO, CIO or security professional, you would do anything to keep your company from ending up on the front page of the Wall Street Journal due to a cyberattack. Since attacks and breaches have evolved over the years, becoming more sophisticated and impactful, it’s more important than ever to look proactively at your areas of vulnerability that, if breached, could negatively influence the company’s viability and sustainability. Today’s news is filled with plenty of stories about cities, governments, municipalities and large organizations that have been compromised. ATS exercises are valuable ways to find advanced threats before bad actors have a chance to attack.

The second driver for advanced testing is compliance. Today, there are many different compliance mandates, including payment card industry (PCI) compliance, general data protection regulation (GDPR) for business in the EU, the financial industry’s GLBA, and HIPAA in healthcare. All of these compliance and regulatory requirements demand some form of penetration testing.

In general, compliance requires a full-company effort, from management down. Not only do leaders need to decide on, support and enforce regulations, but they also need to understand the cybersecurity risks, remain involved in security decisions and designate adequate budget to acquire the tools and talent needed to safeguard the enterprise.

Penetration testing can be a helpful way to adhere to the regulations within your industry and ensure that your company is compliant. Testing can be conducted by your internal teams to assess how resilient your systems and people are in the face of an attack. You can also outsource penetration testing to third-party professional hackers who will invade your company systems like actual bad actors. Results from these tests can generate the hard data needed to prove to management that intrusions are possible and additional spending is necessary in order to prevent them.

Key components of penetration testing

There are generally three parts to penetration testing: external, social engineering and internal.

First, you want to conduct an external penetration test. This involves looking at what an attacker might see and experience simply from viewing your company on the internet. You, as an organization, have certain systems that are publicly exposed through the internet, and a malicious adversary can easily attack those systems in an effort to steal data or get deeper inside your organization.

Next, social engineering is the process of evaluating the security awareness of your employees as it pertains to phishing attacks. Additionally, you will want to look at the controls you have in place that could minimize risk or disrupt any possible phishing activities.

Finally, it is important to conduct internal penetration testing. This is where you go inside your own environment, or hire professional consultants to do so, and emulate potentially risky scenarios. Detect what a disgruntled employee might do if challenged, or test what would happen if one of your employees accidentally clicked on a virus-infected email.

Once a malicious adversary has successfully exploited a vulnerability, you can assume they aren’t going to stop at one employee’s computer. Lateral movement is the process an attacker will take to move to different systems in your environment. By pivoting to other systems and servers, the attacker will work to escalate their privileges and gain a stronger foothold in the environment.

Penetration testers typically try to gain access to the highest-level privilege in a domain or Windows environment. Why? This is exactly what a real-life hacker would do. Once they obtain domain administrator rights, they have the ability to go wherever they want within the environment. Bad actors won’t stop there. Since their goal is to monetize the data they mine, they will continue to dig deep into your ERP systems, financial accounts and/or HR records. Savvy penetration testers will strive to achieve similar access. Once a foothold is established, they will move in and control entire bank accounts, which also contain private employee and client information.

Ransomware, deepfake and AI—why they matter

Ransomware is one area where penetration testing is only partially effective. A ransomware attack can put entire companies out of business, even large enterprises with hundreds of employees have gone under as a result of a ransomware attack.

Penetration testing can evaluate some of the risks associated with ransomware, but it won’t address them all. A penetration test identifies your vulnerability exposure and security awareness; however, it won’t evaluate the programmatic side of things: backups, disaster recovery and segmentation are all major variables to weigh against your ransomware risk.

When it comes to ransomware, cities, municipalities, schools and government agencies are particularly vulnerable—because penetration testing or not—ransomware is not 100% preventable. However, with best practices, best-in-class tools, and proper employee education, experienced penetration testers can minimize risk and reduce the impact of ransomware.

Another emerging cyber fear is deepfake ransomware. This kind of attack simulates a person’s voice, image and likeness, and can be used against political targets and public personalities for extortion. Politically motivated attacks have increased in sophistication over the years, and are used to influence political variables and target government subsidiaries. It’s important to remember: if you’re working with a high value target, you are a high value target, because bad actors will attack you to get to the ultimate prize.

AI technology is also a deepfake cyber game changer. Today, malicious actors can digitize, adapt, modify, edit or change anything you say or do. In a recent attack, cyber criminals used the combination of AI and voice technology to impersonate a UK business owner. This attack resulted in the fraudulent transfer of more than $200,000 dollars.2

Four best practice recommendations for optimal outcomes

The ability to detect threats in advance is absolutely essential in today’s volatile cybersecurity environment. These tips will help you determine what advanced testing is right for your organization.

  1. Understand your business drivers

Before you embark on any type of advanced testing, it’s important to understand the business drivers that extend beyond cybersecurity. Ask questions such as:

  • What is our business strategy?
  • How can I protect the corporate brand?
  • What regulations do we need to align to in order to maintain compliance?

Once you have a big-picture view, you will want to map toward your drivers. Determine what projects and initiatives you need to meet your strategy. Identify why it’s important to take certain actions that support protecting your brand. Often, within an organization, if you are doing a good job with cybersecurity, company stakeholders are not aware there is a need to ramp up efforts. Executives think, “If we’re not having a security incident, why is it costing so much?” If you can recognize this mindset, you can work to change it by developing more of a business value model that aligns to your company’s desired outcomes.

  1. Define your scope

It’s important to understand the full scope of what you need to achieve. For instance, if you belong to a global organization, you can conduct a global penetration test, but it is more likely you will need regional focus, either because of culture differences, local regulatory requirements, or business unit segregation. All of this factors into determining what type of advanced testing you need. Once you know your scope, you can align to your testing requirements.

  1. Substantiate the skillsets and capabilities of your testing team

When looking to run web application testing, one thing is clear; commercial scanning tools are not capable of identifying critical threats. A human being with significant development experience is an absolute necessity if you want to find the most severe vulnerabilities and exploits.

CBI has been facilitating web application security testing for over a decade. We have a dedicated web application testing team comprised of former developers with years of experience, combined with world-class certifications like the OSWE. With the completion of over 800 web application tests for companies both large and small, CBI provides a cost-effective as-a-service model that allows organizations to efficiently assess multiple applications on a more frequent basis.

  1. Test as Needed

To support the “Test as Needed” approach, let’s talk about how some organizations may require more frequent testing than others. As an example, a financial organization may need more frequent testing in comparison to a small manufacturing company. Various industry drivers dictate how often testing should be conducted, don’t limit yourself to just annual testing if the organization requires more frequent testing. At a minimum though, annual testing should be conducted. Most organizations exercise penetration testing at least annually. Why? New attack vectors can be leveraged, tweaked and tuned continually. Annual testing ensures your business drivers and compliance mandates weave into, and align with, your framework.

One of the best ways to protect your company’s viability and stay out of the front-page news is to go beyond conventional exploitation tactics and conduct engagement-specific attack scenarios to evaluate the effectiveness of your security controls in the real world.

Learn More

Click now to contact a security analyst.



About the Author
Shaun Bertrand
Shaun Bertrand
Chief Services Officer
Shaun Bertrand is the Chief Services Officer at Converge. Shaun brings over 20 years of experience in the information security field with a core focus on providing penetration testing and vulnerability assessment services to enterprise organizations. Shaun has been CISSP certified since 2004 and is proficient in several technical services including AV obfuscation, social engineering, exploit development, critical systems protection, endpoint security, event management, incident response, intrusion detection, ICS/SCADA, and malware prevention. Shaun has taught security classes at the University of Michigan and Eastern Michigan University and is a frequent speaker at security conferences and local hacking groups.
I Need To...