Why testing is vital to securing modern enterprises [Q&A]
Security testing has gained in visibility in recent years and can undoubtedly help improve the security posture of a business.
But cybercriminals frequently shift tactics and develop new ideas, so testers can’t afford to stand still and must keep up with and anticipate trends.
We spoke to Ed Williams, director of Trustwave SpiderLabs EMEA, which has released an ebook on the importance of security testing, to discuss why businesses need to employ an integrated approach to security management that pays less attention to where data and assets live and more to the best way to protect them.
BN: Is there perhaps still a lack of understanding of the importance of testing in some organizations?
EW: It's definitely got better. I would still like to see organizations, not take it more seriously exactly but bring it earlier into their rollout, whether it's web applications or new infrastructure or cloud or whatever it might be they're rolling out, to guarantee you get security. The better that journey goes means it's actually cheaper as well in the long run, having something that's pre-production that we're literally testing two weeks before the release means there's a chance that things will get delayed and that it actually won't go live because you find something serious. This happened to a client just two or three weeks ago, we were literally testing something a day before he was going live. We try and influence these type of things, so they don't happen but inevitably they do because of slippage and milestone creep. My recommendation is get security testing into the process as early as you can on the journey.
BN: So this needs a shift in development culture?
EW: People have got very good intentions, where we see gaps and errors is when people are making rash decisions, that's why mistakes happen. The example that I've been using very recently is the massive shift from people working in the office to people working remotely. There's been a huge amount of infrastructure kept the same so we've seen countless examples of poor configurations, unpatched VPN endpoints, really bad remote access solutions, because people are rushed and the security isn't baked in from the beginning.
They then think, "Oh, this has been up to two months, we should probably get it tested," and it's been a real eye opener, how bad things are. So, getting testing in nice and early is important and once you get used to scanning, then move on to the next step of pen testing. Once that's done, then go into red teaming and then constantly check, it never stops. You don't come to a point where everybody sits down and says, "we’re secure." There are always improvements, whether it's patching, passwords, configurations. This is never ending.
BN: Is it true to say in terms of the COVID effect people have had to do things in a hurry and testing is of one of the things that's gone by the board?
EW: I think most organizations do their due diligence as best they can, but when something that was a shock for everybody globally came along with a pivot 360 degrees in the space of a week, two weeks, security was just afterthought. Where we see organizations do really well, is when their culture is security focused. You're talking about people who when they're building processes have security switches always on. When selecting products you have to question is this secure? Does it have whatever it needs to be secure? Am I creating a secure password? A culture that comes having constant security everywhere, that's where organizations do really well.
BN: As more systems move to the cloud does this vigilance need to extend down the supply chain?
EW: We’ve seen a big shift to the cloud for very good reasons. But for someone who was an admin in an on-prem environment the different skills to an admin in the cloud, while they are similar, they're not the same. So there's a slight gap in knowledge. That's closing all the time, to be fair and we see maturity increasing. But we still also see basic errors, things like Mongo databases with default credentials, S3 buckets with unknown permissions. These are things that we saw three years ago and we are still seeing now. We're also seeing when organizations are going to hybrid models there are gaps, like an RDP that's on the internet that shouldn't be there. Before they could probably get away with making that type of mistake in an on prem environment but things are exacerbated in the cloud in the compound because everybody can see it.
When it comes to the supply chain and mergers and acquisitions there’s due diligence work to be done as well so your whole thing is how far down the supply chain do you go? Do you get people to prove pen testing when supplying products and choosing suppliers? It's very very difficult to do for organizations, but at the same time they need to ask the right questions.
BN: How important is it to follow through on what testing reveals?
EW: Organizations are complex environments, we might produce a report that will just just scratch the surface on one part of that environment and say, "You really need to make sure that X Y Z is done across the enterprise," where it isn't that simple. In reality, it's easy for us to say that, and we know that there's there's context around these things, but somebody having them follow through to make sure that it's done enterprise wide is hard going.
BN: How can smaller businesses that may not have dedicated teams cope?
EW: I always bang the drum that if you can get three things done -- passwords, patching and policy -- get those things done across enterprise. You can make it really hard for something bad to happen, you don't have to be perfect, there is no silver bullet, but if you can get those three things right you're on the right path to gaining some sort of maturity and having issues isn't necessarily a problem.
I've been in this game for 15 years and I don't think I've seen a business hasn't had any issues. What is key is fixing them and fixing the root cause issue, so if we're seeing a host of missing patches and bad customer credential management we need to ask why is that happening? How can we stop that from happening in the future? But people are busy, they might fix one issue and just move on with their day and not think about things on a bigger scale, which is where maturity comes into it.
In addition education and culture are absolutely fundamental because the weakest part of an organization is the person but it's also the strongest part. But if people on the front line can make really really smart decisions about not clicking on a link, or not putting a USB drive into the computer or checking in first place, it helps keep the organization secure.
You can get the ebook from the Trustwave site.