Are You Properly Using Your Hoodie as a Penetration Tester?
Maybe it’s just me, but using the word “hoodie” in the name of the report conjures an image of college dropouts sitting in their parents' basements eating Ho Hos and drinking copious amounts of Mountain Dew while tapping away at their keyboards and muttering under their breaths. Maybe that was meant as a marketing gimmick, or maybe the professional penetration testers at Rapid7 actually see themselves as movie star pirates in search of digital treasures. My money is on the former rather than the latter.
Regardless of how the world views penetration testing, the reality is that stress testing your defenses is the only real way to determine how well they hold up under pressure. Some tests are more intrusive than others are (internal versus external testing), but in reality, there’s no perfect testing technique or guarantee that a penetration tester will identify and successfully exploit every vulnerability in your technology ecosystem.
While most CISOs have a preference as to the mixture of internal versus external testing they are comfortable with, I’ve often wondered what that percentage is. According to Rapid7, the number of internal engagements rose from 21% in 2016 to 32% in this latest report. To be fair, this might not be an accurate indication of internal versus external assessments, as some companies may augment Rapid7 engagements with employee-led red teams.
So why are internal assessments so important to conduct? Rapid7’s report outlines the answer brilliantly. “Penetration testers successfully gain complete administrative control of the targeted organization’s network 67% of the time when the internal LAN or WLAN is in scope.”
An experienced CISO should immediately grasp the daunting challenge. While not exactly a task for the “easy button,” securing the paths leading in from the outside is far easier than trying to secure the squishy soft inner workings of a corporation.
This is especially important when most companies do not have a clue as to exactly which assets they own. How do you secure what you don’t know you have? It’s important to remember that in this context, an asset is more than physical hardware, data encrypted on file servers, or a popular well-licensed desktop productivity software package. Assets are also browser installations including add-ins, unencrypted USB drives, and leased multi-function printers.
A 2015 paper published by HDI Research Brief called IT Hardware Asset Management noted that, on average, 25% of IT departments kept inventory on a spreadsheet. It’s been three years since that report, but I doubt the numbers have significantly shifted either way. How effective is a spreadsheet in identifying and maintaining the true asset footprint of a company’s inventory? Even more telling is the rhetorical answer to this question – of the 25% represented in this example, how many organizations are actively making security decisions based on the information contained in the spreadsheet?
If not, why do you have the spreadsheet?
The importance of external penetration testing is intuitive. The very name of the test suggests the purpose as an activity designed to identify and possibly exploit vulnerabilities in order to infiltrate the asset’s defenses. Numerous studies have shown that the greatest number of raw attempts to puncture the company’s defenses comes from external sources; however, the greatest security risk posed by organizations comes from insider threat actors.
According to the 2018 Insider Threat Report by Cyber Security Insiders, 53% of surveyed companies reported a confirmed insider attack in the previous 12 months. That’s why internal penetration testing is so important. You can't manage what you can't measure, and how can you fix a vulnerability that you don’t even know you have?
As part of their many duties, CISOs need to develop a holistic vulnerability management program as part of their security program. As the principle of defense-in-depth implies, penetration testing is just one aspect of that program. External testing of the organization’s perimeter defenses should be conducted regularly, as should the internal defenses. This includes testing the ability to gain access from the visitor wireless network, from an exposed network port (with and without credentials), internal and external mobile and web applications, the HR job board, a selected ERP, another major application, and holding (and hopefully hiding) the crown jewels.
For more information on this topic, download and read Rapid7’s report: