Penetration Testing is Failing

Is is now commonly accepted that penetration testing is important for application, and network security, but it is not effective in isolation against advanced threats, and expert will tell you that is only part of a package of tests & measures that need to be implemented on a regular basis. However, in 2013 there is a growing gap between the efficacy of penetration testing and the threats that organisations face. We are now reaching the point where penetration testing is becoming ineffective, and there is a long list of companies that are struggling to come to terms with the fact their systems & applications did not withstand an attack even though a penetration test reassured them that they would.

Penetration testing has certainly evolved in the past 4 years, and it has become increasingly reliant on automated tools and an evaluation of patching, systems in place, encryption, and thus support some of the conclusions about overall security and vulnerability levels. It is now less prevalent to see skilled manual review of code, and white hat techniques for more demanding assignments. The pressure to maintain high utilization rates among pen-testers is limiting the time to maintain knowledge and develop skills in step with the black-hatters, and a gap is opening both in competency, and approach.
Automated techniques have their place, but the role is lessening as threats become more sophisticated, and the methods that should be applied to simulate them, whether they are DDoS attacks, social engineering, phishing or something more advanced and persistent, are increasingly in appropriate. 

The term Red Teaming is now more appropriate to simulating the real-world methods that vulnerable organisations will face as convergence has risen to the pinnacle [or cutting edge] of threat characteristics. Invariably a determined attacked will combine a remote attack, physical infiltration, and social engineering to effect an attack. Which raises the question: what use was the penetration testing, when you have little sight of vulnerabilities once the perimeter has been breeched.

Notwithstanding the flaws in standard penetration testing as a stand-alone methodology, there are equally significant flaws in companies’ attitudes to remediation. This may reflect budget, but it may equally reflect the limitation of a compliance-centric approach, or the weakness in remediation advice that is being provided either by independent experts, or as an outcome of penetration testing. Worse still, it may be a reflection on the perception of the managers responsible for not seeking independent advice, or not prepared to invest in holistic security testing.

Advanced testing will always reveal vulnerabilities and companies have to be prepared to deal with that realisation. If firms are to follow best practice and construct a security paradigm on protection, detection and response, then security exercises are a prerequisite. ‘High reliability’ organisations and the military use drills and exercises to make sure that their skills are sharp and their plans effective. For many years companies have employed intruder testing to identify weaknesses in their access control, gaps in their CCTV coverage, flaws in the human aspects of security management, and event the effectiveness of their perimeter protection. Given the dominant nature of cyber threats now, it is time for companies to adopt the same approach on a converged basis.

We are rapidly reaching the point where the messages ‘you are vulnerable’ and ‘you have been breeched even if you don’t know it’ have been reinforced sufficiently, and it is only the most complacent or ignorant manager that will be able to assert that he has nothing to worry about, or he is confident that he has taken all the necessary steps. It is time to add to this. It is a na├»ve manager that thinks his network security is assured because he engaged some pen-testers, or that he is immune from DDoS attacks because he bought an off-the-shelf system to defend against them. Ultimately it reflects that he learnt little from engaging pen-testers except a list of findings.

As threats evolve, and some companies face PDoS [permanent denial or service] attacks, mobile device vulnerabilities, and sophisticated phishing attacks without the detection capabilities to match, it is increasingly important that security testing is a process that develops awareness and understanding about the holistic and sophisticated nature of the threat landscape, and that knowledge permeates the organisation beyond the IT department. And maybe this is the main reason why standard pen-testing if failing customers, and is rightly becoming commoditised.

It is time to engage with experts that understand security, and not just IT. And it is time to expect more holistic value from security testing rather than approaching it on an application-specific basis. The difference is a good Red Team that will show you how attackers think, and not just what damage they can do.
Posted: 24 June 2013 by Optimal Risk Admin | with 0 comments
Filed under: converged, cyber, DDoS, ESRM, mobile, network, penetration, phishing, red, security, team, testing., threat, vulnerabilities