CISOs Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits
CISO's Guide to Penetration Testing
If you're visiting NJVC for a meeting, job interview, or career fair, your first stop is likely one of our three primary corporate locations. NJVC welcomes business of all sizes for future opportunities. NJVC qualifies as a small business for all subcontracting opportunities. Let's start this post on a happy note: You have been promoted. You are now in charge of cyber security for your entire organization.
The birds are singing. It's a nice spring day outside. The executive washroom -- if there are still such things -- is now available to you. Most importantly, there are no issues that you know of in your enterprise IT network. But in the back of your mind, there's probably a small worry creeping in. One of the advantages of using third party experts in a specialized IT domain such as this is that pen testers know about and look to exploit the latest vulnerabilities,seeking to compromise defenses as an attacker would. In addition, they possess a toolkit of prior exploits that have been successful, allowing organizations to prove to themselves they have adequate cyber hygiene in place.
With software vulnerabilities increasing as new software is rolled out and installed it becomes more important than ever to not only test for new issues, but to defend against old ones as well. A pen test probes a computer system with the intention of identifying and quantifying vulnerabilities that could be exploited by an adversary.
This can be done as a white box test where the tester has full supporting system information and documentation or a black box test where no prior information is provided. Grey box testing is between the two extremes and is done by providing some data to the pen testing team. At the time, computing resources were particularly expensive and initial concerns were for proper billing and accounting to be in place. A natural outgrowth of that was preventing unauthorized access by other system users.
In fact, one of the first security conferences was held in when it was reported that a defense contractor was easily able to circumvent system access mechanisms that were supposedly in place. The DoD convened a task force in to formally assess this emerging threat. Both military and industry security experts then began studying the issue and building operationally focused teams. Reports are that given little adequate protections in place, these teams were quite successful. Conducting formal pen tests has continued to mature in sophistication up to the present day with open source tools becoming widely available leading to enhanced capabilities not even requiring coding skills.
As the nature of computing changed, so did the nature of the attack methods. The internet enabled a proliferation of web applications providing user friendly access to back end databases. Current industry best practices dictate that security must be integrated into the software development lifecycle and ALL developers are expected to have at least a rudimentary knowledge of pen testing techniques and building code resistant to such attacks. In the hands of experienced pen testers, information such as this is gold in constructing a comprehensive set of test conditions and scenarios.
Grey box testing can be of particular use if an organization is worried about a specific threat type or simply wants the pen testers to focus on particular system aspects. For instance a network map with device manufacturer and type may be provided to allow for scanning for default passwords. This shortens data discovery steps and allows a pen tester to more quickly act like a trusted insider seeking key data items. This is a series of requirements that specify how the tester is supposed to respond in a particular situation. It defines the scope and comprehensiveness of the testing activities.
IT operations personnel are typically informed of the activities to prevent unanticipated defensive reactions that might impact operations. Organizational Security Policies are the foundation to establish the extent and specific activities of the pen test team. Adherence to these policies by organization personnel should be tested as well as IT network defenses.
- On Your Knees;
- Help Us Serve Better.
- From Two Different Sides of the Fence!
- Social Media is Dynamite - How to Get Noticed and Sell More using Social Media!
- Agatha Christies True Crime Inspirations;
Do end users actually know and follow these policies? Does the IT staff have policies that control items such as patch management, conducting vulnerability scans and security log creation, storage and archival? A checklist against sound information security best practices or a minimum set of security controls can also be applied. Acceptable test techniques can also be detailed.
- Health Insurance Plans and Prices for South Carolina Businesses (South Carolina Health Care Book 4).
- Building a modern and complex website, the easy way, with MODX Revolution.
- The Pen Test Is Mightier Than the Threat Actor | NJVC!
- Information Security Management Handbook, Volume 7 : Richard O'hanley : .
For instance, phishing attacks against system users may be implemented to determine if users follow organizational policies on e-mail and attachments, usage of USB stick memory devices and file transfers outside the corporate network. As mentioned, having IT personnel informed of the testing can prevent unanticipated test reactions. For instance, keep help desk personnel informed if the intent is to test users, but do not keep them informed if their response actions are intended as part of the testing process.
Since the ultimate intent of a pen test is to reduce risk and strengthen defenses, it is often helpful to have a sample test report available for the target organization included in the project requirements. This report typically includes a comprehensive summary of the activities conducted.
Using a sample template up front clarifies the exact information the organization will receive at the end of the test. Often security gaps are identified in a priority order so an organization can apply timeline and budget factors against the gaps as needed to reduce risk to acceptable levels. The principle of least privilege will ensure that you only provide the access necessary for individuals to perform their roles. This will keep the most sensitive data off-limits, available only to those who have reason to access it. Vulnerability scanning and penetration testing will identify potential flaws in your IT security.
This will help you create an effective patch schedule to resolve any issues. Employees are often the weakest link in the cyber security chain. Make sure they are educated about social engineering, phishing, malware, and other scams, and that there is proper reporting and escalation routes if they identify threats.
There are a number of frameworks, best practices, and regulations you can use to guide cyber security.
The Pentesting Framework
Cyber security has several distinct job roles that are commonly found across well-staffed IT teams. These roles include:. Reviews, tests, and implements processes and technology to protect IT and company assets from cyber security threats, especially infrastructure. Will review assets, reports, outputs, and more to identify potential risks and arrange for resolution.
See All Solutions.
Products Password Safe Manage and monitor privileged accounts. Endpoint Privilege Management Remove excessive end user privileges on desktops and servers. Vulnerability Management Identify, prioritize, and remediate vulnerabilities. Remote Support Securely access and support any device, anywhere. Auditor Manage changes across Microsoft Windows platforms. Privileged Access Threat Report Find out about the latest major security threats facing companies and how to truly defend your business from inside and out.
Support Services Training Partners Company. Glossary Cyber Security. Cyber Security Practice Areas There are many different, and constantly evolving, disciplines that make up a complete cyber security approach. Here are some of the most common disciplines: Data Security Protecting and maintaining the integrity of business, customer, and other data. Application Security Ensuring that software and other applications cannot be hacked, compromised, accessed without proper authorization, or disabled.
Network Security Protecting network infrastructure and software from unauthorized access. Operational Security Day-to-day monitoring and security management. Cloud Security Cyber security methods used across public, private, or hybrid cloud environments. Identity and Access Management IAM Authenticating users and authorizing them to access specific applications, data, and other systems. Privileged Access Management PAM Controlling and monitoring privileged access for users, accounts, applications, and other system assets. Vulnerability Management VM Proactive identification such as through scanning and resolution such as through patching, systems hardening, implementing new solutions, etc.
Security Training Teaching employees and other users to identify and appropriately deal with common security issues like phishing, malware, or social engineering. Why Cyber Security is Important IT attack vectors are exploited by criminals to gain unauthorized access to the IT environment, potentially damaging a victim organization or individual through stolen data, downtime, identity theft, reputational damage, and more.
Specific issues that cyber security measures can help protect against include: Cyber-attacks Brute force, targeted, and denial of service attacks that take your business offline or provide unauthorized access to your systems and data Data breaches Exposure of sensitive business, customer, and supplier data Identity theft Compromised customer data that results in the theft of logins, passwords, and other sensitive, personally identifiable data Cyber security helps your organization stay ahead of cyber threats by providing a toolbox of approaches, tactics, and software to identify and protect against threats.
Here are some of the key areas to bear in mind when evaluating cyber security strategies, policies, and tools: There are a large number of data breaches, hacks, and new malware every year. Common Cyber Threat Vectors Cyber security teams need to deal with a wide range of risks and threats. Malware Viruses, worms, and trojans that find their way into IT systems and replicate across the networks. Ransomware A special type of encrypted attack malware that locks up and encrypts files, demanding a ransom often in Bitcoin in exchange for removing the encryption and restoring access for the system owner.
Social Engineering Criminals use confidence tricks and other techniques to get employees to let their guard down and share sensitive information, such as logins and passwords. Phishing Use of fraudulent emails and other messages to convince people to install malware or otherwise reveal sensitive information about business systems. Sabotage Denial of service DoS and other attacks designed to take down business assets like websites or publicly available applications and services.
Vulnerability Attacks Unpatched software and systems create vulnerabilities that criminals exploit through targeted attacks. Cyber security Strategies, Policies, and Processes Your cyber security approach will vary depending on the type of environment you operate within. Cybersecurity Best Practices Cyber security involves the application of a number of tools, approaches, and best practices that can significantly reduce cyber risk. Audit your existing IT ecosystem Audit every element of your networks, servers, infrastructure, operating systems, applications, and data.
Complete a gap analysis Once you understand the potential threats to your IT security, understand the existing tools and approaches you have in place to deal with cyber security threats. Use a risk-based approach to cyber security Once you have identified potential threats, rate each one based on likelihood and impact. Take advantage of modern cyber security software Seek out vendors and software that use modern detection techniques to identify and report on threats. Implement robust identity and access management Tools like biometrics, single sign-on, two-factor authentication, and adaptive security controls can help you ensure that you are requesting proper authentication from authorized users.
Use privileged access management The principle of least privilege will ensure that you only provide the access necessary for individuals to perform their roles. Employ vulnerability scanning Vulnerability scanning and penetration testing will identify potential flaws in your IT security. Train your employees in good security practices Employees are often the weakest link in the cyber security chain.
Take account of cyber security frameworks There are a number of frameworks, best practices, and regulations you can use to guide cyber security. Types of Jobs and Roles in Cyber Security Cyber security has several distinct job roles that are commonly found across well-staffed IT teams. Security Engineer Reviews, tests, and implements processes and technology to protect IT and company assets from cyber security threats, especially infrastructure. Security Architect Identifies, plans, designs, and implement security tools to maximize security and minimize risk.