The advancement of penetration testing throughout the pandemic
COVID-19 threw the spotlight on cybersecurity like never before. The unprecedented global shift to remote working and subsequent surge in cyber crime, drove a priority focus amongst business leaders to ensure a robust cybersecurity posture across every part of their newly extended network. Many organizations had to make this transition rapidly, which increased the likelihood of misconfigurations and other errors, while the drastically increased attack surface presented fresh cybersecurity challenges around remote network connections, VPN connections, phishing, and many other types of network attacks.
Ensuring adequate protection against this wave of new security threats facing every size and shape of business became paramount and challenged CISOs to balance reduced budgets and staff against the requirement for increased technology investment.
Within this, penetration testing has played a vital role in ensuring organizational security throughout the pandemic; providing value not only in testing and measuring security posture, but also in identifying and prioritizing high-risk security vulnerabilities and ensuring compliance. But have CISOs focused sufficient resources on penetration testing, and have such investments worked to deliver the clear vision for overall cybersecurity strategy that penetration testing promises?
Penetration testing, also called pen testing or 'ethical hacking', is the practice of uncovering and exploiting vulnerabilities on a computer system, network or web application in order to determine the security level such assets are and to intelligently prioritize risk. Gartner has identified pen testing as a key cyber security strategy for 2021. By testing an organization’s infrastructure, pen testing provides insight on security weaknesses and how an attacker could gain access to these different types of data. Additionally, these tests can also verify that other mandated security measures are in place or working properly and provide proof of this adherence to auditors.
In our recent second annual 2021 Penetration Testing Report, which canvassed 300 cybersecurity professionals across the world, we identified that the value of pen testing was easily agreed upon, with 91 percent of respondents noting that penetration testing is at least somewhat important to their security stance, with 75 percent of respondents testing to measure security posture and to support vulnerability management programs. And yet, the majority of respondents confirmed that testing takes place only one or two times a year, (53 percent confirming only once, annually) suggesting a mismatch in beliefs and day-to-day best practice.
Every organization has some type of data that is vulnerable and, given the widely reported sizeable consequences of cyber attacks it is worth giving greater consideration to either understand what might be driving this mismatch or to justify overconfidence, given CISOs risk culpability for not acting on identified issues.
Where budget cuts under COVID-19 and lack of executive buy-in are accepted as core challenges to CISOs (50 percent of respondents noted the inability to get organizations to act on findings); skillset gaps and inattention to pen testing findings are perilous in today’s security climate. Further, there is a straightforward path to remediation through investment in internal and external talent resource and/or the right pen testing technologies.
Today the evolution and advancement of the pen testing field has delivered much flexibility in the many ways tests can be conducted -- internal teams, third-party teams, automated pen testing tools, etc. And pen testing can be done to match any scale or budget. For example, pen tests can be strategically scoped to focus on the most critical systems within an organization.
While third-party pen testing teams are recommended for verifying compliance or conducting particularly complex tests; in-house teams deliver consistency in process, ensuring that compliance and security are continuously maintained.
Investment in internal pen testing staff (who can test more frequently) means that security weaknesses can be uncovered faster, which boosts confidence in security stance. In fact, only 31 percent of businesses without an internal team felt confident in their security posture.
As organizations begin to recover post pandemic, pen testing tools can offer a flexible and viable solution to businesses, which can enhance pen testing processes and provide the most critical day to day support to internal teams.
Interestingly, in our report, just one percent of respondents indicated they don’t use any type of pen testing tool, which clearly demonstrates how crucial solutions are to the pen testing process. While there is a split in CISO preference between enterprise and open source tools, all recognize the complexity of the testing process and the need for a full tool stack to cover all needs. An overwhelming majority look for centralization, integration, and automated reporting functionality so that testers can have a more streamlined experience, easing prioritization, remediation, and evaluation for compliance.
Today, it is critical that organizations invest in adequate pen testing processes so they can tailor their program to suit their individual needs and available resources. With issues like compliance and remote work being high on the agenda for many businesses, pen testing shows every sign of remaining a crucial practice for years to come
Putting your organization to the test on a regular basis is still the best way to ensure you’re continuously reducing your cyber risk exposure, and pen testing can provide both short- and long-term value by identifying priorities for critical remediation and playing a central guiding role informing overall cybersecurity strategy.
Brian Wenngatz is General Manager, Cybersecurity, HelpSystems