Advanced testing services (ATS) can mean a lot of things to a lot of people, but essentially, ATS helps companies identify sophisticated, advanced threats against their environments so they can see vulnerabilities before a compromising cyber event can occur. ATS often involves penetration testing, which is essentially testing that simulates—in a very real way—the effect that a cyberthreat can have on a company’s environment.
Application testing is also an important part of advanced testing services. According to a recent Gartner report, mobile apps are projected to have the most impact on business success.1 Not only are companies relying on traditional applications to drive digital transformation, but they are also introducing newer multiexperience platforms such as immersive devices, augmented reality and wearables to grow business.1 All of these new technologies create attack points where bad actors can potentially break in, steal data and wreak havoc on reputations and brands.
Key drivers—diligence and compliance
There are many reasons why you may be considering advanced testing for your organization. Two drivers that rise to the top are due diligence and compliance. As a conscientious CISO, CIO or security professional, you would do anything to keep your company from ending up on the front page of the Wall Street Journal due to a cyberattack. Since attacks and breaches have evolved over the years, becoming more sophisticated and impactful, it’s more important than ever to look proactively at your areas of vulnerability that, if breached, could negatively influence the company’s viability and sustainability. Today’s news is filled with plenty of stories about cities, governments, municipalities and large organizations that have been compromised. ATS exercises are valuable ways to find advanced threats before bad actors have a chance to attack.
The second driver for advanced testing is compliance. Today, there are many different compliance mandates, including payment card industry (PCI) compliance, general data protection regulation (GDPR) for business in the EU, the financial industry’s GLBA, and HIPAA in healthcare. All of these compliance and regulatory requirements demand some form of penetration testing.
In general, compliance requires a full-company effort, from management down. Not only do leaders need to decide on, support and enforce regulations, but they also need to understand the cybersecurity risks, remain involved in security decisions and designate adequate budget to acquire the tools and talent needed to safeguard the enterprise.
Penetration testing can be a helpful way to adhere to the regulations within your industry and ensure that your company is compliant. Testing can be conducted by your internal teams to assess how resilient your systems and people are in the face of an attack. You can also outsource penetration testing to third-party professional hackers who will invade your company systems like actual bad actors. Results from these tests can generate the hard data needed to prove to management that intrusions are possible and additional spending is necessary in order to prevent them.
Key components of penetration testing
There are generally three parts to penetration testing: external, social engineering and internal.
First, you want to conduct an external penetration test. This involves looking at what an attacker might see and experience simply from viewing your company on the internet. You, as an organization, have certain systems that are publicly exposed through the internet, and a malicious adversary can easily attack those systems in an effort to steal data or get deeper inside your organization.
Next, social engineering is the process of evaluating the security awareness of your employees as it pertains to phishing attacks. Additionally, you will want to look at the controls you have in place that could minimize risk or disrupt any possible phishing activities.
Finally, it is important to conduct internal penetration testing. This is where you go inside your own environment, or hire professional consultants to do so, and emulate potentially risky scenarios. Detect what a disgruntled employee might do if challenged, or test what would happen if one of your employees accidentally clicked on a virus-infected email.
Once a malicious adversary has successfully exploited a vulnerability, you can assume they aren’t going to stop at one employee’s computer. Lateral movement is the process an attacker will take to move to different systems in your environment. By pivoting to other systems and servers, the attacker will work to escalate their privileges and gain a stronger foothold in the environment.
Penetration testers typically try to gain access to the highest-level privilege in a domain or Windows environment. Why? This is exactly what a real-life hacker would do. Once they obtain domain administrator rights, they have the ability to go wherever they want within the environment. Bad actors won’t stop there. Since their goal is to monetize the data they mine, they will continue to dig deep into your ERP systems, financial accounts and/or HR records. Savvy penetration testers will strive to achieve similar access. Once a foothold is established, they will move in and control entire bank accounts, which also contain private employee and client information.
Ransomware, deepfake and AI—why they matter.
Ransomware is one area where penetration testing is only partially effective. A ransomware attack can put entire companies out of business, even large enterprises with hundreds of employees have gone under as a result of a ransomware attack.
Penetration testing can evaluate some of the risks associated with ransomware, but it won’t address them all. A penetration test identifies your vulnerability exposure and security awareness; however, it won’t evaluate the programmatic side of things: backups, disaster recovery and segmentation are all major variables to weigh against your ransomware risk.
When it comes to ransomware, cities, municipalities, schools and government agencies are particularly vulnerable—because penetration testing or not—ransomware is not 100% preventable. However, with best practices, best-in-class tools, and proper employee education, experienced penetration testers can minimize risk and reduce the impact of ransomware.
Another emerging cyber fear is deepfake ransomware. This kind of attack simulates a person’s voice, image and likeness, and can be used against political targets and public personalities for extortion. Politically motivated attacks have increased in sophistication over the years, and are used to influence political variables and target government subsidiaries. It’s important to remember: if you’re working with a high value target, you are a high value target, because bad actors will attack you to get to the ultimate prize.
AI technology is also a deepfake cyber game changer. Today, malicious actors can digitize, adapt, modify, edit or change anything you say or do. In a recent attack, cyber criminals used the combination of AI and voice technology to impersonate a UK business owner. This attack resulted in the fraudulent transfer of more than $200,000 dollars.2
Four best practice recommendations for optimal outcomes
The ability to detect threats is advance is absolutely essential in today’s volatile cybersecurity environment. These tips will help you determine what advanced testing is right for your organization.
Before you embark on any type of advanced testing, it’s important to understand the business drivers that extend beyond cybersecurity. Ask questions such as:
Once you have a big-picture view, you will want to map toward your drivers. Determine what projects and initiatives you need to meet your strategy. Identify why it’s important to take certain actions that support protecting your brand. Often, within an organization, if you are doing a good job with cybersecurity, company stakeholders are not aware there is a need to ramp up efforts. Executives think, “If we’re not having a security incident, why is it costing so much?” If you can recognize this mindset, you can work to change it by developing more of a business value model that aligns to your company’s desired outcomes.
It’s important to understand the full scope of what you need to achieve. For instance, if you belong to a global organization, you can conduct a global penetration test, but it is more likely you will need regional focus, either because of culture differences, local regulatory requirements, or business unit segregation. All of this factors into determining what type of advanced testing you need. Once you know your scope, you can align to your testing requirements.
Before you engage outside professionals in penetration testing, you will want to ask about the type of approach or methodology they use. You can and should request sample reports, and obtain CVs/bios for the cybersecurity professionals involved in your engagement. Ensure your consultants know how to move laterally, escalate privileges, and find critical, sensitive data such as bank accounts and accounting systems. It’s one thing to obtain high privileges like domain admin rights, but it’s an entirely different thing if the penetration testing team understands your sensitive data/IP and can expose improvement opportunities as it pertains to these critical systems.
You can also seek professionals who are certified in advanced testing. One of the main certifications is the offensive security web expert (OSWE). Certified OSWEs know the advanced ins and outs of how web applications are built, where they’re vulnerabile, and how they can be hacked.
To support the “Test as Needed” approach, let’s talk about how some organizations may require more frequent testing than others. As an example, a financial organization may need more frequent testing in comparison to a small manufacturing company. Various industry drivers dictate how often testing should be conducted, don’t limit yourself to just annual testing if the organization requires more frequent testing. At a minimum though, annual testing should be conducted. Most organizations exercise penetration testing at least annually. Why? New attack vectors can be leveraged, tweaked and tuned continually. Annual testing ensures your business drivers and compliance mandates weave into, and align with, your framework.
One of the best ways to protect your company’s viability and stay out of the front-page news is to go beyond conventional exploitation tactics and conduct engagement-specific attack scenarios to evaluate the effectiveness of your security controls in the real world.