Cybersecurity Best Practices Calls for Penetration Testing

As attacks become more sophisticated, penetration testing is becoming a must-have security measure

The tactics cybercriminals employ are as clever as they are numerous, and show no signs of slowing down. Unfortunately, an attacker can gain access to your organization’s network through something as simple as one of your employees clicking on something they shouldn’t or an unsecure web application. Then, the attacker conducts malicious activities—hijacking sensitive data, password theft or man-in-the-middle attacks, to name a few.

DevOps Connect:DevSecOps @ RSAC 2022

For example, Emotet is an advanced, modular banking Trojan that primarily downloads other banking Trojans and is among the most costly and destructive malware affecting governments and the private and public sectors. It’s spread through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient (PayPal receipts, shipping notifications and more), according to the U.S. National Cybersecurity and Communications Integration Center.

Like other infections, the consequences of malware to the business can include loss of sensitive or proprietary information and disruption to operations, as well as financial losses and damages to an organization’s reputation.

For IT security professionals protecting the corporate network and servers, including the enterprise Wi-Fi network, mobile and web applications (and those apps residing on employee’s devices), more than defensive security measures are called for.

Evaluating Pen Testing

When it comes to uncovering vulnerabilities that hackers could exploit in your infrastructure and network architecture, penetration testing has become a cybersecurity best practice. Let’s take a look at the latest pen testing options available, along with some aspects to keep in mind.

For most businesses, the focus is on bringing a product to market and the clock is ticking. Time and resources spent on cybersecurity are also critical and must be factored in and carefully allocated.

First, scope your security projects. Include what’s to be tested and the time frame, with start and end dates. Another factor to keep in mind is time that could be spent evaluating and responding to any false positives and false negatives included in the reports you’ll receive after the pen testing is complete. A false positive is a security vulnerability flagged by the pen test, but doesn’t exist. A false negative says you don’t have a vulnerability when one exists. (How does Pentoma handle false negatives? Should this be included?)

Using software applications to perform automated pen testing certainly plays an important role in ongoing security practices. Automated scanners use patterns to quickly identify publicly known vulnerabilities and their location. Testing with automated tools is less expensive and reports are typically generated within a short time frame, depending upon the project scope. The automated patterns may be limited, however. A generic report with unverified vulnerabilities is produced, often containing high false-positive rates. These reports will not assess the impact to your business.

Manual pen testing is performed by third-party security consultants. Top manual pen testers are ethical hackers that use tools and techniques similar to those of an attacker. Consultants are knowledgeable in PHP, Python, Node.js, Ruby and other web languages. They predict potential attacks, based on error messages and database query, and identify any developer mistakes due to lack of secure coding. A consultant may have a degree or certifications such as CEPT or CISSP, but ultimately, the results depend on the experience of the security expert. Manual reports typically take longer to compile, but deliver a lower false positive rate. Manual pen testing depends upon the skill of the individual and can be the most time-intensive route.

Another option now available is penetration testing driven by artificial intelligence. Deep-learning algorithms conduct attacks using methodology employed by malicious hackers, such as simultaneous attack payloads. Vulnerability discoveries are incorporated with each subsequent hacking attempt, thus continuously improving and expanding threat detection capability. Reports detail the severity (low, medium, critical) of vulnerabilities and categorize them based on the Open Web Application Security Project (OWASP) Top 10. Some AI pen testing tools can run an attack pen test within one to two hours, per server. Security reports are typically available within an hour, with low false positive rates comparable to manual pen testing.

A Pen Test is a Must-Have for Assessing Security Risks

A company recently told us that, although they use automated testing tools to conduct their own risk assessments, their compliance requirements with their customers mandate they perform twice yearly penetration testing to ensure their website is secure. But since they perform frequent updates, sometimes monthly or more, they’re evaluating increasing the frequency of their pen testing to make sure they aren’t missing vulnerabilities.

Many of us in cybersecurity have long known that any company today cannot rely on their internal security logs and alerts and other defensive measures. It’s time to incorporate penetration testing into your organization’s offensive cybersecurity strategy.

Min Pyo Hong

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Min Pyo Hong

Min Pyo Hong, CEO and founder of SEWORKS, advises corporations, NGOs, and governments on digital and cyber security issues. Min led a team of five-time finalists at the annual DEF CON conference in Las Vegas, and is a PhD candidate at Korea University in SANE-LAB Information Security. A serial entrepreneur, his previous company, SHIFTWORKS, was sold to InfraWare. Min also founded the WOWHACKER Collective, a non-profit security research group in Korea.

min-pyo-hong has 2 posts and counting.See all posts by min-pyo-hong