The Role of Penetration Testing in Cyber-Risk Assessment
The Role of Penetration Testing in Cyber-Risk Assessment
Cyber-risk assessment is an essential part of any security strategy, and increasingly, it plays a key role in risk-based business decisions. In addition to helping evaluate the security posture within an established IT environment, risk assessments can determine the security impact of implementing new technologies or launching new web-based business services. Digitally driven businesses also use risk assessments as part of an overall risk evaluation when they acquire or merge with other companies.
Risk assessments can be specific to applications and systems, or they can cover larger portions of the IT environment where critical operations take place like networks, databases or IoT systems. A number of factors go into a risk assessment, including hardware configurations, data assets, business criticality, vulnerability, likelihood of a breach, and financial risk.
Vulnerability assessment is central to risk assessment because it focuses on the avenues of attack. There are two parts to vulnerability assessment: One is vulnerability scanning, which uses tools to look for, identify, and report on known vulnerabilities. The other is penetration testing, which seeks out ways to exploit known and unknown vulnerabilities by engaging in authorized efforts to breach a system or environment. While vulnerability scanning is often performed by in-house security staff, penetration testing is typically carried out by a third party.
Vulnerability scanning and penetration testing go hand-in-hand as part of a vulnerability-management program, and both are important to risk assessment. However, they serve fundamentally different purposes. As Cliff Krahenbill, information security instructor at several universities, explains, “Penetration testing provides an active, real-world assessment to determine exactly what data could be accessed if an organization’s network were compromised. Penetration testing finds vulnerabilities that cannot be detected using just a vulnerability scan, for example, examining whether data can be intercepted while in transit.”
Humayun Zafar, associate professor of information security and assurance and CISSP instructor at Kennesaw State University notes, “Pen testing goes well beyond automated-vulnerability testing. The addition of an actual person allows for a complete assessment of the network infrastructure to assist in recognizing the impact a breach can have.”
Darrell Jones, chief information security officer (CISO) at Ares Management, underscores the importance of pen testing in aligning security priorities with overall business goals. “As a regulatory requirement, pen testing is critical to the ongoing risk-management process of an organization,” he says. “The key is the usage of different types of pen tests for specific high-value assets or risks. Creating a list or catalog of priority properties, applications, and business processes will align your pen test with the priorities of the organization.
By looking at cyber risk from the perspective of someone actually trying to attack a system or environment, penetration testing helps define a vulnerability’s criticality. This is a valuable piece of the risk calculation, and it also helps prioritize risk mitigation. Gregory Balaze, security account manager at IBM, explains: “With today’s complex IT environments, a company’s information-security team may find themselves overwhelmed by potential vulnerabilities. Pen testing allows validation and prioritization of vulnerabilities by giving these teams the ability to go after the vulnerabilities that hackers can easily and quickly exploit. Security teams are able to cut through the ‘noise’ of many vulnerabilities and deal with the ones most likely to do harm to a company.”
Krahenbill adds: “A well-defined and executed penetration test can validate any discovered vulnerabilities, and whether conditions to exploit them actually exist. Penetration testing can reveal any attack vectors a cybercriminal might use to surreptitiously gain access to sensitive data on the organization’s network. Once identified, the vulnerabilities can be prioritized and steps are taken to mitigate any threat they may pose.”
So what is the best way to use penetration testing for vulnerability management and risk assessment? Zafar emphasizes the importance of using third-party pen testers. “It’s critical to recognize the importance of using penetration testing as a component of assessing risk. Far too many firms do not tap into third parties for penetration testing. Instead they rely on internal structures. If the problem is inherent to an organization, then internal teams will not be able to resolve it,” he says.
Krahenbill recommends performing both internal (where the attacker has authorized access to the network) and external (where the attacker is trying to get into the network from outside) pen tests annually. “Newly discovered vulnerabilities pose a serious threat to network security,” he explains. “Any changes to the network topology along with any configuration or hardware changes need to be examined carefully for any risks they may impose.”
Balaze notes that awareness of vulnerabilities is not enough. “To actually have an understanding of a company’s overall security posture, it’s vital to see not only the vulnerabilities but which ones are most likely to lead to a network breach. A regular pen test every year, or having one done whenever a large network change has occurred, should be done by a verified, trusted, third-party company and added to a company’s risk-management strategy. This gives a company an invaluable view into what a hacker would see from the outside looking in.”
Jones emphasizes the importance of a methodical approach to pen testing. “I recommend creating a pen test calendar for the organization. The priority properties, applications, and critical business processes should be drivers in the schedule. The schedule will also highlight if additional resources (internal vs. external) are needed to annually test all the priorities of the organization.”
Penetration testing adds an additional, “real-world” dimension to risk assessment. This is valuable not only to security operations, but it also provides another layer of insight to those who are making risk-based business decisions.
- “Penetration testing finds vulnerabilities that cannot be detected using just a vulnerability scan.”
- “A best practice for a penetration test is to have both an external and internal penetration test done annually.”
- Vulnerability scanning and penetration testing go hand-in-hand as part of a vulnerability-management program, and both are important to risk assessment. However, they serve fundamentally different purposes.
- Penetration testing adds an additional, ‘real world’ dimension to risk assessment. This is valuable not only to security operations, but it also provides another layer of insight to those who are making risk-based business decisions.