A thorough penetration testing campaign involves social engineering, vulnerability scanning, and the manual hacking of computer systems, networks, and web applications. This overview shows how a professional team uses multiple types of penetration testing to exploit a variety of attack vectors, just as a real hacker would.
Automated tools seek known security vulnerabilities in your systems such as unpatched software or open ports. The scans reveal risks that may directly impact your organization and point penetration testers to areas they can try to exploit.
Here, penetration testers take a more adversarial approach as they go after specific targets. This type of advanced, focused test emulates Tactics, Techniques and Procedures (TTPs) of mature threat actors. The Red Team attempts to remain invisible to the systems’ defenders (known as the Blue Team).
To learn more about Pratum's penetration testing services, contact us today.
SOC 2® reports are probably coming up in a lot of conversations among your industry peers and key partners. But do you need to get a SOC 2® report? The process represents a significant investment of both money and time (about 18 months to complete a typical SOC 2® Type II reporting process). As you weigh whether the investment is worth it for your business today and in the future, consider these factors. (And if you need a summary of how SOC 2® works, jump to the bottom of this post.)
Companies use the widely accepted SOC 2® compliance model to confirm that their vendors/partners handle information securely. Rather than simply trusting vendors who declare themselves secure, companies can demand a SOC 2® report as third-party proof of the vendor’s security. In a SOC 2® audit, a firm recognized by the American Institute of CPAs (AICPA) reviews a company’s controls over a specific period of time and issues an opinion on its compliance with the standard.
Companies can seek either SOC 2® Type I or Type II. Type I examines the design of controls at a specific point in time. Type II evaluates the operating effectiveness of those controls over a period of time. While a Type I report can be completed fairly quickly, a Type II audit can take up to 18 months, including the readiness and audit periods. Retaining SOC 2® validation requires repeating the audit on a regular basis (usually annually).
Pratum consultants help numerous companies each year determine whether they would benefit from a SOC 2 report and then prepare for the SOC 2 process if they move forward. To learn more about how Pratum can help simplify the journey for you, contact us today.
Performing regular penetration tests is an easy decision. They represent a key piece of your overall security strategy. But getting the most from your next penetration test can be more challenging as you sort through multiple questions. How do you choose the best penetration test vendor? How do you decide what to test? Why do quotes from different vendors vary so much?
All these key topics came up during Pratum’s latest Cybersecurity in 60 webinar. Pratum Senior Penetration Tester Jason Moulder and Troy University CTO Greg Price shared insights from the perspectives of a tester and a client on how to make the most of a penetration test. Here are the highlights of their conversation. To view the entire webinar, click here.
First, make sure that you’re getting an actual penetration test and not just a vulnerability scan. (This infographic shows all the elements that go into a full penetration test.)
Second, do your homework on the penetration testing company you’re thinking of using. What kind of credentials do the actual testers have? How many years of experience do they have? What are people saying about them online? You should look for a long-term partnership, not just one-and-done things.
It seems like someone calls me every day who is hanging out their shingle as a cybersecurity expert. I’m always dubious of those claims, especially if the organization appears overnight. So the maturity of the organization we’re going to work with is of enormous interest for me.
A penetration test is predicated on a vuln scan. Any penetration testing professional has to know the lay of the landscape, which is where a vuln scan comes into play by knocking on the door, running various scans to see what’s forward facing for the Internet to take a peek at it.
The penetration test provides me greater insight into those vulnerabilities. It shows where gaps are not only from a technical perspective, but from a policy perspective. It provides a practical application of how my team is working, what’s going on with our resources.
Keep in mind that a vuln scan is only programmed to find things that are known. (Click here for a full comparison of penetration tests and vuln scans.)
You can get stealthy with a penetration test or get loud and bang on the doors and hope somebody’s paying attention. If the rules are not laid out clearly, those doing the work can get too noisy and too rough and disrupt the environment, and that can be an absolute disaster.
We’ve used groups in the past that completely ignored the rules of engagement. If they found something, they would take it all the way down. That’s an awful experience for an organization of any size, but especially for us with a global operation and students engaged in various educational opportunities.
That’s also an issue when it comes to automated tests like vuln scans. If the team isn’t coordinating with the client and saying what they’re going to be doing at a certain time, you can mess up all kinds of things such as rewriting databases, deleting things, and creating other unintended types of consequences.
I don’t want a penetration test to turn into a test of my disaster recovery (DR) plan.
We identify components that would seriously affect you and everybody connected to you if they got compromised. I try to work with clients to keep the cost manageable while giving you what you actually need. We’ll guide you on what we see with other clients in the same industry, threat intelligence we’re getting and other things.
As the customer, I should have some idea of where my weaknesses are, what I want to build on, where I want to strengthen the environment. If you’re not focused and looking at what’s vital to your organization, you could waste a lot of money just wandering around the edges and poking at things that are trivial. Also, be sure that you know how cloud and third-party components are managed before starting a penetration test.
So when you walk into a penetration test scoping call, you have to know what’s of great value and what needs to be protected from a corporate strategy perspective, a regulatory need, or a compliance need.
Take a good look at your DR plan. What are you looking at reconstituting if you have an enormous failure of your primary data operations? That’s probably the template for what you want to put in front of someone to do a penetration test against.
If you have some underlying regulation that says you have to do at least two penetration tests a year, then you can’t really bypass that. But on average, if you don’t have anything really pushing you to do this more often, you should do a full penetration test at least once a year on your entire environment: external, internal, wireless.
If you have experienced some massive shift in the infrastructure, introduced some product, exchanged some hardware, or done something else sizable, then it’s time to have someone come in and go after it and make sure it’s living up to expectations from a security perspective.
I don’t tell anybody within my organization. I want it to be a test of our controls and tools, but I also want to see that the team reacts appropriately and that the various mechanisms we have in place for mitigation and triage are also functioning.
I would rather see a team doing what they’re supposed to be doing. If it gets up to the CTO’s level, he can stop it there rather than going into the IR plan. We may purposefully fire off some real heavy stuff to see if we get shut down.
First, make sure you’ve prepared by getting controls in place, mitigating vulnerabilities and patching software before you do a penetration test. Then you can engage a vendor to come in and do an audit or a risk assessment. When you get that report on paper, then the penetration test is there to quantify that.
You don’t want to roll right out of the gate with having just turned on some new things and hired a couple of folks to work security and then bring in a penetration test group to examine what’s going on. That’s not going to be a good engagement for anybody. Use the penetration test as an opportunity for improvement. For me, it’s definitely a verification and validating tool.
We’re not trying to say you’re doing a bad job. We’re showing where you need to invest in training or shore things up. We hope that part of our result is to create a driving factor that shows your boss you need to reinvest into your overall scheme and hone the team’s skills a little more.
I like to use the final report as a team-building exercise. We focus on the end goal of being better after we complete the exercise. If we got a report that proclaimed that we had absolutely nothing going on and everything was perfect, I would be skeptical.
Some of the low-risk or informational findings could be the segue into a bigger finding when you chain that stuff together, and we identify that during the engagement.
That shows the importance of people who have experience and actual experts to conduct these tests. Without that knowledge of the penetration tester to assemble those things, you may think it’s no big deal. But when it’s brought into context by people who have a lot of experience, that’s where the value really comes out in these types of examinations.
I typically look at the penetration testing team’s experience and their approach. We also review whether the tools they use are inhouse or open source or commercial.
Take a hard look at why a lower price is lower. Sometimes we come in a lot lower than competitors because we cut out a bunch of stuff that you said you wanted, but doesn’t make sense for your objective. We want to focus in on your overall objectives and goals and why you need this penetration test to begin with. We don’t have to test everything in the environment. It's not cost-effective.
To talk with Pratum’s team about how can get the most value from your next penetration test, contact us today.
Get our blog articles delivered
to your inbox: