Chris Dickens, Senior Solutions Engineer at HackerOne, outlines an effective penetration testing strategy.
Digital transformation has become an essential requirement for any business that wants to remain competitive in an increasingly digital global landscape.
However, it’s not always straightforward. In many cases, digitising key processes can expose businesses to a wide array of new cyber security risks they aren’t used to, potentially leading to damaging breaches, attacks and/or loss of sensitive data if they aren’t careful.
In order to protect against such threats, a well-rounded cyber security strategy needs to be put in place alongside any digital transformation initiative.
However, cyber security isn’t a ‘one and done’ activity, strategies must be continuously evaluated and tested to ensure they remain effective.
Cyber criminals constantly evolve their attacks, so cyber security must also evolve. Whatever works now will likely be outdated in just a few weeks or months.
One of the best ways to stay ahead is through regular penetration testing (pentesting), which can give companies a fast, accurate snapshot of the current state of their cyber defences. This point in time activity features ethical hackers putting themselves into the shoes of malicious actors in an attempt to breach a system’s security for the purpose of vulnerability identification.
Typically, both humans and automated programmes are used to research, probe, and attack a network using various methods and channels known to be used by cybercriminals.
But too many still don’t fully understand how pentesting works, or how they can effectively implement it into their wider security strategy.
How has pentesting changed?
The era of secretive, closed-door penetration testing is a thing of the past. In those days, you had to depend on the skills and schedules of usually big companies, enduring long waits, and limited insight into the results and tester’s actions.
Nowadays, penetration testing has evolved significantly. It often commences within a few days and is typically conducted on a smaller scale more frequently. This transformation is credited to innovative platforms that offer real-time transparency into the testing process and a more inclusive approach when bringing testers on board.
The emphasis is now on results and experience from the ethical hacking community rather than formal education and certification. The creation of new AI-based hacking methods and willingness to test source code has also greatly improved the output.
While this may sound quite daunting for the business involved, pentesting is an incredibly effective way to discover major vulnerabilities in their security before they can be exploited, which is critically important for keeping sensitive data safe.
Arguably, penetration testing’s best advantage, however, is its thorough coverage and documentation. Due to its in-depth and refined testing, in most cases, vulnerabilities are discovered and documented, including details on how the bug can be exploited, its impact on an organisation’s compliance, and advice on how to remediate the issues.
Unlike other offensive security engagements, pentesting also allows organisations to test internal systems alongside unfinished applications – this is especially useful when leading up to a new product announcement or organisation acquisition.
Using pentests to inform both present and future security strategies
As mentioned, pentesting is a great way for businesses to gauge the effectiveness of their existing security defences at that moment in time.
However, too many organisations tend to treat it as though it’s the beginning and the end of the process, which it isn’t.
Pentesting is a tool, not a strategy, and as valuable as they are, pentests are only useful if the results are translated into an effective overall security strategy for the future.
An effective modern pentesting strategy should contain the following elements:
1. Establish key security priorities
First and foremost, businesses must determine what they need to protect. While it’s impossible to protect everything all the time, key assets should be prioritised based upon the damage the asset would cause if it was to be compromised.
Typically, highly sensitive information such as proprietary IP, competitive and legal information, and personally identifiable information (PII) will be top of the list.
2. Get security buy-in from all employees
A sustainable security culture requires buy-in at all levels of an organisation, from the executive board to the reception desk.
If every employee takes responsibility for company security, it’s much easier to build a model where risks are shared, and teams across the company can scale securely.
3. Use pentesting as a regular security touchpoint
Regular penetration testing is a great way to promote a more proactive approach to security. All too often, organisations aim to meet only the minimum requirements for compliance – and believe themselves to be secure, which is a highly risky strategy.
By contrast, combining regular pentests with bug bounty programmes provides a continuous feedback loop that allows companies to quickly identify new vulnerabilities and deal with them before they come to the attention of malicious actors.
4. Make robust cyber security a strategic differentiator
A recent study by PwC found that 87% of global CEOs are investing in cyber security as a way of building trust with customers. If the lifeblood of the digital economy is data, its heart is digital trust.
Organisations with a sound security strategy can quickly turn it into a strategic differentiator for their brand, which is invaluable in highly competitive business sectors and industries.
The best cyber security strategies can quickly adapt to change
Modern enterprise security is not easy. As more businesses embrace digital transformation and cloud computing becomes the new normal, reliance on IT is at an all-time high.
Consequently, even a small data breach can potentially have a devastating impact. On top of this, attack surfaces are exponentially larger than they were just a few years ago and continue to grow at an alarming rate.
The best practice approach for security teams is to colour outside of the lines by infusing new and independent thinking. With this in mind, penetration testing offers much more than just a scan and definitely more than a tick-box compliance requirement.
By developing a cyber security programme that employs an agile approach, organisations can prioritise flexibility and make rapid changes when needed.
Engaging ethical hackers enables organisations to deploy an army of specialised experts that will work around the clock to identify vulnerabilities and conduct pentests for both regulatory compliance and customer assessments. In today’s highly competitive and volatile business environment, few organisations can afford to forego such a crucial security advantage.