Which Security Testing is Right for Your Enterprise?
Vulnerability scans, penetration tests, red teams – Put your security to the test.
So you’ve invested in your cybersecurity capabilities and upped your game on employee security awareness. But how can you be sure your efforts are working? It’s time to put your security to the test.
Penetration testing and “red teaming” are long-held practices in the cybersecurity space, but even though they were originally designed to test network security and intrusion detection, they can also provide benefits to your enterprise physical security program.
According to Brandon Finney, Manager of Red Team Services Engagements for Crowdstrike, it’s essential to understand the objectives of the testing exercise. Are you looking to find how many known vulnerabilities are unaddressed in your enterprise? Are you trying to determine how susceptible employees are to phishing emails? Are you curious to find whether the tactics used in a recent data breach against a similar enterprise could work on yours? Knowing the goal of your query will help to drive a successful test, he says.
Vulnerability assessments can encompass a wide range of methods and factors, and it’s easy to lump all the potential factors under the one umbrella. However, depending on the results and insights you’re looking for, it’s essential to understand which methodology is the right fit for your organization.
- Vulnerability Scans: Vulnerability assessments and scans often use automated tools, with limited manual support, to identify weaknesses in an enterprise. Typically these assessments are searching for known or common vulnerabilities, such as those that have been used in past breaches or those that are frequent paths of least resistance for attackers to gain entry into the network. This sort of assessment is most useful for small and mid-sized organizations with limited cybersecurity resources and low maturity. It’s a good starting point.
- Penetration Testing: A penetration test uses information from a vulnerability scan to attempt to access or penetrate the enterprise network, like a simulated attack. Some penetration tests are largely automated, but others utilize manual effort and creativity to find routes into the enterprise network and around security. With a penetration test, enterprises and security professionals may or may not know it’s a test, similar to a fire drill. Pen testers can be third-party ethical hackers, or they can be internal security personnel. Organizations with medium maturity would benefit from a penetration test to help uncover gaps in security.
- Red Team Exercises: When utilizing a red team, the enterprise’s employees will not know an exercise is underway. This helps the organization gauge a realistic response to an attempted attack. Often, red team professionals will mimic attackers and try to break into the organization in any way possible, including physical security vulnerabilities (tailgating into a facility to gain entry to a data center, for example, or using vulnerabilities on surveillance cameras to access the network). Mature organizations with specialized cybersecurity skills would benefit from a red teaming exercise, as these can uncover gaps in security outside the network as much as inside it, often through other departments, such as physical security, employee awareness and training, and more.
The physical security aspect is essential at this point, says Ron Schlecht, Founder and Managing Partner at BTB Security, a cybersecurity firm specializing in vulnerability assessments and penetration testing. “We’ve seen several multifaceted breaches now, including ATM cash-out schemes that involve a physical breach and malware.” (Read more about ATM jackpotting in this month’s Security Talk column, page 10.)
“Red teams and penetration testers shouldn’t work in a stovepipe,” says Finney. “They should be working with different departments on reoccurring, regular testing. The goal is to get the company, as a whole, better. Identify gaps and work with your teammates so they understand which vulnerabilities exist, and what remediation steps could help.”
Vulnerabilities can be problems with people, processes or technology, Schlecht says, and that includes physical and cybersecurity. A pen tester might applaud you for having biometric access controls on your office doors, but if above the wall is a simple drop-ceiling, it’s easy enough for an intruder to climb over the wall or drop a device above the ceiling into the office space, avoiding the biometrics.
Another key question is: how much should your defenders know? Finney says that the “grey box” approach (in which the target organization has at least some awareness a test is underway) takes less time and is best when addressing limited and specific objective. A “black box” approach (in which employees have no idea an attack is coming) tests defenders’ ability to detect and respond to an attack, measuring the enterprise’s monitoring and response capabilities. Because the scope of these tests can be so broad, they can take more time and resources.
The black box approach also enables testers to utilize social engineering in their attempted attack. “Any attacker is looking to exploit the path of least resistance to get to their goal,” says Schlecht.
One example, he says, is calling up the CFO’s office and asking the office assistant if the CFO’s traveling or available for a discussion. A friendly assistant might give out more information than needed (where the CFO is traveling to and for how long), which could give the attacker plenty of good detail to mount a better cyberattack. Schlecht says an attacker could then call frantically into the company help desk, introduce himself as the CFO, tell them he’s out of the country until Thursday, needs immediate access to key documents but is locked out of his computer and needs a credential reset. By piecing the information from the assistant together, the attacker could avert any suspicion from the help desk employee. If a red team discovers this vulnerability, they may recommend adding training and security awareness education for office staff over what constitutes sensitive information.
“The impact we demonstrate is that there are multiple things that can lead to security breakdowns,” says Schlecht. “Something as minor as disclosing that somebody’s on vacation can potentially be the lynchpin to something larger, like a cyberattack. It’s not just about one specific regulation or threat, or the latest, greatest thing that’s in the media; it truly goes back to convergence and making sure that the ownership around security isn’t just on one specific individual, but it’s a cultural thing embraced throughout the organization.”
Enterprises have the option of staying in-house or hiring an outside red team for these assessments, and both have their benefits and drawbacks.
- In-House Red Teams: These can act almost like an in-house third-party, Finney says, and it could behoove organizations to work these services into other departments, such as product development. Internal teams also have internal knowledge (about “crown jewel” information, reporting structures, etc), and enterprises can be more assured that any sensitive information discovered may stay within the company (barring, of course, insider threat risks). Having an in-house team also makes enterprises more agile when it comes to testing, as there’s no need to go through a procurement cycle.
- Third-Party Red Teams: While these can be more expensive than having an in-house team, they have the benefit of experience and advanced skills in this area, while in-house personnel may have their attention and talents divided by other job requirements. Third-party testers will have more varied knowledge and skills, and they provide a fresh set of opinions and tactics when it comes to uncovering vulnerabilities. Schlecht adds that when evaluating potential red team or penetration testing vendors, security leaders must do their due diligence by evaluating vendors’ expertise and getting references from other clients.
How often should you test your system? It depends on what’s changed. According to Finney, web applications have multiple code or feature changes a year, and some update every week. Each change should be tested for new vulnerabilities, and he recommends enterprises build this testing into their roadmaps and product development. For internal systems, it’s much the same – every new technology or service added or updated should be subjected to rigorous testing to detect new vulnerability and address potential issues before outside attackers find them.
The results you get out of your security system testing come down to the objectives, says Finney. Typically, a red team will deliver a list of findings, specific recommendations, and any discovered gaps in the security posture and where to strengthen that posture.
This doesn’t mean that enterprises should have to wait until the final report to start making improvements, however. Schlecht recommends that when penetration testers or a red team discover a vulnerability, they immediately report it, and give a summary of findings at the end of the test. Those summaries should also remain confidential, he reminds, as a red team’s findings are more often than not the instructions on how to break into a business.