By Brad Atkin, CPA, CISA, CITP – Shareholder, IT Advisory and Security Group

If you’re like any other leadership team, you’ve probably wondered why news of high-profile cyberattacks continue to dominate the headlines given cybersecurity is a focus for most organizations today.

Although cybersecurity budgets are continuing to grow, this commitment by organizations has done little to stem the tide of financially and ideologically motivated attackers. In fact, research conducted by the Ponemon Institute found the average cost of a data breach was $3.92 million. In the United States specifically, the average was far higher at $81.9 million. What is even more alarming is that research is showing a clear move away from attacks being solely on the big fish. The attack rates for small and medium-size businesses have grown to almost 50% of breaches. If awareness and spending are at an all-time high, why do there continue to be so many breaches?

Insufficient Testing

One reason cyberattacks continue to be successful is the way the security of IT systems is tested. Many organizations rely on automated vulnerability scanning tools to probe their network and find security weaknesses. While such tools are an essential part of an IT security program, they give an incomplete picture of what an attacker could accomplish on a network. To complicate matters further, a scan from such tools is often marketed and sold as a complete penetration test — which is misleading.

The What and Why of Penetration Testing

A true penetration test is a service performed by an information security specialist who is trained to use the tools and mindset of an attacker to give a realistic assessment of your vulnerability to cyberattacks. Instead of relying solely on automated tools, a skilled penetration tester will rely on rigorous manual testing to identify security vulnerabilities and exploit them. This process continues until the predetermined goal, usually the compromise of sensitive systems or data, is accomplished. Testing of this nature will help your organization:

  1. Identify vulnerabilities in the perimeter systems that protect your network
  2. Verify change management processes are keeping pace with security
  3. Check system configuration
  4. Validate the actions of third-party IT managed-service providers

Approaches to Penetration Testing

When you decide to have a penetration test performed, it is essential to consider the “scope” or the actions the penetration tester will be authorized to perform.

The most important scoping decision to make is whether the penetration tester will be required to attack your systems over the Internet or will they be allowed inside your facilities to connect directly to your organization’s internal network. The former approach, known as an “external penetration test,” is the cheapest option but often doesn’t leave enough time to perform a thorough test. This kind of testing is performed from the office of the service provider and relies on launching cyberattacks over the internet. However, just because a single test cannot compromise your network from across the internet doesn’t mean it will never be possible to do so.

External penetration tests usually focus the most effort on your “network perimeter,” the firewalls and servers that sit between your organization and the Internet. While these devices are designed to be secure, the success of email-based attacks like phishing, coupled with the speed at which new vulnerabilities are being uncovered, means malicious hackers are still finding ways to bypass this perimeter and access your internal network.

This has led to a new approach to cybersecurity called “defense-in-depth,” which emphasizes not just the security of your network perimeter, but also the ability to detect and deter attackers who have already breached it. Internal penetration testing, which allows the tester to visit your office building and plug directly into your network, is the best way to test your ability to practice “defense-in-depth.” The penetration tester can spend less time trying to bypass your firewall and more time exploiting vulnerabilities in your internal network, while testing your ability to detect and respond to their simulated attack.

Choosing a Penetration Test Provider

Ultimately, a combination of both internal and external penetration testing will give you the most thorough assessment of what a malicious hacker could accomplish. Regardless of which kind of testing you choose, always consider the following when choosing a penetration test provider:

Flexibility: A provider should be willing to work with you to create a scope that reflects the risk appetite and security needs of your organization, not push for the fastest or costliest option.

Social Engineering: The people of an organization are an essential part of its security, and a penetration test can exploit their good nature to gain access to sensitive areas or computer systems. Consider adding phone and email-based social engineering to the scope of your test.

Experience: A penetration test is a complex undertaking that should not be performed by those without proper experience and training. Ensure your provider has experience with penetration testing of organizations in your industry.

Tools of the Trade: A penetration tester should rely on more than just automated scanning software. Ask your provider about what kinds of manual testing they can perform and what tools they might use to do so.

With a team of cybersecurity advisors and a scalable CYBERCLAW® solution, Doeren Mayhew can help your organization meet its cybersecurity goals by performing penetration testing to provide actionable recommendation to strengthen its cyber position. Contact us to learn more about our CYBERCLAW® offering or request a quote.