Get Your Security Report Card with Penetration Testing
In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”
That remark was from a memo sent to Sony Pictures Entertainment employees, attributed to Kevin Mandia, CEO of security firm Mandiant, which had been helping Sony investigate the November 2014 data breach that leaked high-level company information, emails and even films, leading to threats of violence. Bloomberg reported that monetary losses from the fallout over “The Interview” film controversy alone are estimated near $200 million.
According to former ASIS president Dan O’Hara, this attack should be a wakeup call for the security industry. “This is a call for more due diligence. We need to use all the resources we have access to in order to prevent such an attack.… We have to be better.”
One way to conduct your due diligence in threat detection is to attempt to find such vulnerabilities within your enterprise yourself, namely through penetration testing, O’Hara says.
In a nutshell, penetration testing – whether on the physical or logical and cyber sides – is the practice of trying to circumvent your security protocols in order to find failings or gauge areas of improvement. This could mean hiring a certified ethical hacker to test your network for gaps in perimeter security or potential data leaks or working with an external or internal “red team” (independent penetration test team) to attempt to breach the physical perimeter of a business. This could mean testing for piggybacking by pretending to be an express courier with a large box and seeing if anyone would hold the door open for you. Do all of the card readers on perimeter doors work? Is anything propped open or left unsecured? Once inside, would any employee stop you to check your credentials? Are there confidential files on desktops or inside unlocked offices after office hours?
“Think of this as a report card for your security program,” says O’Hara. “We all think we have good controls, but you want to make sure that you do. A penetration test is a good indicator of human proficiency in your enterprise.”
According to Frank Pisciotta, president of security consultancy firm Business Protection Specialists, Inc., you should strive to share the results of your penetration tests – both good and bad – with your C-Suite and enterprise employees. “A good test helps to share your success with good ‘pat on the back’-style awareness. A bad test is a good reminder as part of your ongoing education campaign,” he says. After a failed penetration test, security leaders should re-test the system within approximately 30 to 45 days after completing any necessary changes or re-education.
“A penetration test is not an audit,” Pisciotta says. “An audit is broad and more comprehensive, while a penetration test is a specific simulation of an attack that will focus on one or two elements of your security. When choosing what to test, you want to consider the quality and maturity of your program – don’t test something when you already know the answer. If you don’t have a perimeter fence, don’t see if someone can get onto your property. Test the building doors or your personnel’s behavior instead.
“Security programs mature dynamically. The goal of a penetration test is to demonstrate improvement over time,” he adds.
One of Pisciotta’s longtime clients for penetration testing, R. Spencer Lane (who is now Director of Security and Business Continuity for international law firm K&L Gates LLP), says that penetration tests should be “simple, straightforward, and not time-consuming, especially for companies with small security departments and large footprints.” For example, businesses with a centralized corporate security department can add a penetration testing program for all regional locations, and managers would report testing results back to the headquarters on a set frequency.
Lane adds that CSOs can use metrics from penetration tests to compare security awareness and ability at different locations to help spur participation and some healthy competition.
“Penetration testing is not done in isolation,” Lane says. “You have partners in the C-Suite, in IT, in your regional partners and your employees. If you’re concerned about reporting a failed test to leadership, frame it – and think of it – like this: ‘We found a vulnerability, and we’re working on it so we limit our risk from actual intruders.’ You’re finding blemishes in your program before there’s an actual problem, and that’s good for your C-Suite to know.”
“It’s the people in your organization that defend the security program,” says O’Hara. “The top resource for security is employee communication. There are lots of components in your enterprise – HR, facilities management, for example – that might not see security measures the same way as we do. They could be propping doors open for smoke breaks, and you wouldn’t know unless you tested. It’s an employee education issue that you can discover and address.”
When working with consultants or independent red teams, O’Hara recommends putting guidelines in place, and in writing, early: “Your penetration tests, whether physical or logical, should involve nothing illegal, immoral or unethical. Tailgating or using a phony ID is one thing; trespassing is another. Set confidentiality controls, and manage who would be sent the report. Don’t broadcast penetration testing plans to employees, but don’t hide your results.”
This, Lane says, works like a typical emergency weather or fire drill – having an unannounced test gives you a more accurate response, and sharing the results afterward helps employees be better prepared to respond to the next drill or actual incident.