And What Should You Be Doing Instead?
If annual penetration testing is the primary source of truth that is driving your security strategy, you’re missing out on the best part of leveraging penetration testing as an important part of securing your environment. While penetration testing is currently a heavily discussed topic within the cybersecurity industry and is typically viewed as an essential component of a robust and effective cybersecurity program, there are actually several reasons why annual penetration testing may not be a sound or effective use of resources within a security program.
It’s easy to consider annual penetration tests as a mere “check-the-box” solution in your security program, but there’s a far more effective way to approach penetration testing. This blog will explore not only how to more effectively leverage penetration testing in your security program, but also why you should consider a more holistic, continuous monitoring approach.
What Is Penetration Testing?
Penetration testing is a form of ethical hacking, which involves the intentional launching of simulated cyberattacks by penetration testers. Many organizations engage with third-party vendors who specialize in penetration testing in order to determine if outside parties are able to access or exploit computer systems, networks, websites, and applications. Organizations often see the utilization of third-party pentesters as a valuable cybersecurity investment, as these companies have the expertise and knowledge of effective strategies, as well as the latest and greatest pentesting tools. The insights provided by a penetration test can be invaluable, and not only help an organization determine if any exploitable issues or vulnerabilities exist in any of its systems, applications, or assets, but also serve as an indicator of the health of an organization’s overall cybersecurity strategy, including aspects of policy effectiveness, regulatory compliance, and incident response, among others.
Since penetration testing can be a time-consuming and often expensive process, there is this assumption that running a penetration test once a year is an effective and sufficient way to validate your security program. Pentesting is necessary, but not sufficient. According to Defensible Technology CEO Stephen Doty, if you're just using pentesting to check boxes for cybersecurity compliance purposes, you’re missing out on the real capability of pentesting as an important part of your overall security strategy.
Benefits of Penetration Testing
Penetration testing is a proactive security measure, enabling your organization to reduce the risk of becoming a victim of a cyberattack. It provides practical, real-world feedback, arming you with the knowledge you need to better secure your environment.
While there are a variety of benefits associated with pentesting, these benefits generally fall into three broad categories:
- Simulate Real-World Attacks: No matter the penetration testing methodology used, by simulating real-world attacks, pentesters are able to expose vulnerabilities that could be exploited by malicious actors.
- Identify Potential Issues Before They Become Issues: Pentesting can identify a wide range of issues, from unpatched software to poor password security.
- Assess Effectiveness of Security Controls: In addition, penetration testing can help to assess the effectiveness of security controls and identify potential areas of improvement.
- Test Log Monitoring and Security Operations Processes: An often overlooked benefit penetration testing provides is the opportunity to have your security operations teams validate log monitoring events during the pentesting window. This allows you to determine if you have the ability to detect and respond in the event of a real-world attack.
“If pentesting is so effective, we should consider doing pentesting at least annually,” or so the thinking goes. The problem with this line of reasoning is that pentesting can quickly be viewed as a panacea where all your security problems are solved by addressing those points identified in the annual penetration test.
Many organizations consider pentesting to be a standard practice because it is an effective way to find and fix security weaknesses before they are exploited by malicious actors. By simulating the types of attacks that could be carried out by real-world attackers, pentesting provides valuable information about where the organization's security defenses are weakest.
Why Is Pentesting Not Enough, and What Should You Do Instead?
Every year, organizations across virtually every industry undergo annual penetration tests to evaluate the safety and security of their systems. However, recent research has shown that annual tests may not be as effective as once thought, compelling companies to shift their thinking and approach cybersecurity from a new perspective.
Additionally, many companies opt to switch pentesting vendors each year in an attempt to simulate different attack types. With the annual pentesting model, the feasibility of the penetration test is largely dependent on the skills of the testers themselves.
Security experts at Defensible Technology point out that there are more effective ways to leverage penetration testing as part of your overall security strategy, and here are several actions Defensible recommends to get the most out of penetration testing in your environment:
Shift from Annual Testing to On-Demand Testing
An annual penetration test is only a snapshot in time, once per year. Yet, new vulnerabilities are identified daily, with known exploits often published soon after.
For companies interested in getting more value — and ultimately effectiveness — out of penetration testing, leveraging a continuous and automated testing platform enables you to cover a baseline set of pentesting activities in an automated fashion and provides the flexibility to narrow to more advanced, manual testing.
Many organizations can take 90 days or more to patch vulnerabilities, leaving them exposed and susceptible to attack. A continuous and on-demand testing model is far more effective than annual testing at mitigating these risks.
Approach Pen Testing as Continuous Attack Surface Monitoring
Instead of relying on annual testing, experts recommend a more continuous approach to security. A typical pen test includes an external penetration test, which, in a nutshell, is a test of your Internet-facing attack surface. Every organization’s attack surface is dynamic, with changes to the technology configuration, as well as the continuous release of new threats and vulnerabilities. Incremental or continuous testing of the attack surface is necessary to keep pace.
Narrow the Scope
Narrow the scope of your penetration testing down to the application level. This means either web or mobile apps. Conducting targeted, direct penetration tests while continually monitoring the attack surface is a more effective approach than broad internal/external penetration tests.
Scan for Vulnerabilities
Conducting routine vulnerability scanning in your environment is instrumental in the adoption of a strong security posture. In most cases, it is a better use of resources to assume the vulnerability will eventually be exploited, even if an exploit does not currently exist. In other words, it is likely not worth the time and effort it takes to conduct a penetration test on a newly discovered vulnerability, as opposed to simply adding that vulnerability into your patch management plan.
Be Proactive, Rather Than Reactive
By taking a more proactive approach to security, organizations can identify and fix potential issues before they become serious threats. Penetration tests can still be an important part of maintaining a secure system, but they should not be the primary benchmark from where you are securing your organization’s environment.
How Do I Implement Continuous Monitoring?
Enlist the help of a highly capable cybersecurity services provider who knows and understands how to effectively leverage continuous monitoring to secure your critical assets. Get started on your continuous security journey with Defensible.
For more information or to schedule your free 30-minute consultation, please reach out to info@defensible.tech