Is traditional penetration testing effective at identifying risk?
This September the Director General of GCHQ wrote to many business leaders providing them with a top ten list of priorities for achieving and maintaining a strong resilience to cyber attack.
The challenge for many board members is how to ascertain the validity of what they are being told in relation to the health of their defences. What unknown risks are being carried? There is a high risk of false assurance from internal departments reporting up the chain.
What is the state is your business in when it comes to cyber security?
Ask yourself the following questions;
- How effective are my perimeter defences?
- How much business impact can an anonymous attacker cause on my network?
- What is state of health of my internal systems and networks?
- What level of security awareness is held my staff?
- How effective are my IT and security team are at identifying and mitigating an attack?
If you are sure you know the answer and you are happy with it then you are doing well.
Many of the security assessments we are asked to undertake, although providing value, miss the point when it comes to identifying key risks. The reason is that an advanced and sophisticated attacker would not play by the rules set out in a typical test engagement. If I wanted to attack your organisation, I would carefully target your people, compromise their browsers, infiltrate their laptops or workstations, and from there begin to slowly gain a foothold and control of your network. In my 10 years working at the cutting edge of penetration testing, we have performed this testing but a handful of times; however the majority of successful extrusion attacks would use this method.
There is a miss-match therefore - the skills exist to measure organisations resilience to this form of attack method, the majority of successful breaches would use this technique, but penetration tests typically do not cater for this form of scenario.
A realistic attack would take the form of a discrete engagement to identify and quantify key areas of critical risk - We like to call it offensive security; the best form of defence is to know what the enemy are capable of. If you want to know the truth then you need to test combining the following elements;
- Physical - how easy would it be for an individual to gain access one of your premises/gain access to the network/steal a laptop, PDA device or similar (and attempt to extract the data) Can a remote access device be planted and will this go unnoticed?
- Technical - can your systems be penetrated? How effective are your perimeter and internal controls?
- Social - can your people be easily compromised, what level of control over your systems, data and networks can be achieved?
So to ask the question again - how well equipped are you for fending off an advanced and persistent cyber attack?