Are we working on a model of the tortoise and the hare ?
Compliance is a driver for security, I can hear the interwebz scream out in anguish. Just wait a moment.
How do company’s afford, fund and budget for information security and importantly what are mechanisms to even achieve 3rd party verification and assessment of any security measures put in place to protect an organisations assets ?
It comes down to risk, regulation and compliance.
Great, but is it enough or even the right way ?
The Challenge
Take for example the idea of a scheduled pentest. More often than not compliance will demand a yearly assessment, and if that’s compliance, should we stop with just that ?
Before we answer, as it is far to easy to respond to with out context, lets take a brief look at what impact a pentest has on a company;
_______________________________________________________________________________________________________________
- Pentesting processes in the traditional sense are labour intensive and can cause both an impact to the business in regards to availability but also have an overhead drain on staff in terms of additional work, stress and anxiety. Is the testing company competent in the work, provide actionable and timely intelligence or result in the network taken down in error ?
_______________________________________________________________________________________________________________
- Checkbox compliance approach’s. Clearly working to the bear minimum its hardly the best use of resources or effort, while baseline security is a necessary requirement it does not address the performance of mitigation methods over time or the real posture of the organisation other than a snapshot in time. Adversary’s are not going to wait for your patching processes or when a new vulnerability is disclosed for security vendors to come up with mitigation and detection routines.
_______________________________________________________________________________________________________________
- No matter how skilled and professional the Pentesting company maybe, it simply cannot replicate the skill sets of your adversaries, and most assuredly not within a time limited scoping period many pentest’s are conducted within. The threat actors you face are not going to stop after a few days, they will continue to use a variety of techniques, tactics and procedures against your infrastructure and assets until they achieve their goals.
_______________________________________________________________________________________________________________
- When looking at an organisation that has thousands of endpoints and equally if not more assets to protect, a two week pentest is not going to cut it. Its an issue of scale and assessment versus time and materials. Commissioning an assessment and then having to wait for reports, updates, risk assessments and gap analysis does not reduce any aspect of real time risk.
_______________________________________________________________________________________________________________
- Given the processes and the change in infrastructure to include the rapid deployment of many cloud models and service types both on premises and off, the standard pentest will inevitably not be address this changing environment other than the snapshot approach of the current state. Cloud environments by their very nature are dynamic and ephemeral and a more adaptive approach is required.
_______________________________________________________________________________________________________________
So what can we do ?
We have to look at strategic Pentesting as part of the future. It cannot survive been a report that lists the issues and remediation steps and then left to the client to deal. Clearly this is a business partnership that needs to defined and work together to identify the threat model facing the client and deal with business context vulnerabilities. Taking a proactive approach with business partner to bring to maturity efforts like secure coding standards, DevSecOps and automated testing.
Security starts well before the design stage, its in the culture and the provision of the staff, the training and been given the right tools and support to not only do their job, but to do it well.
A stitch in time may save nine
Francis Baily – 1797
Security isn’t something you can just bolt on at the end, it has to be the golden thread that brings together all the efforts of an organisation and if we start to just rely on the annual pentest as a scorecard then we are not doing the job well at all.
Know your assets, Know your organisation. Start here and then progress to internal testing and if you wish to use the term, white-box testing methods where credentials and the infrastructure is known to assess what can and will go wrong once your defences are breached, after all a wall can only withstand so much force before it yields just like any perimeter defence mitigation .
Leverage your assets, that includes any developer teams you may have. Given them the tools to validate and verify their code with both automated and manual testing processes before it been handed over to any QA or Unit testing. This opens up QA teams to hunt down the more difficult issues without having to waste cycles on the mundane.
Vulnerability testing and Pentesting needs to be automated as much as possible, built into a change management process so continued comprehensive coverage can be undertaken.
None of these steps are going to make you 100% secure, however that’s not the aim.
The aim of the game is secure enough against the threats you face, furthermore all this effort would be in vain if the issues raised are not properly addressed and remediated in a timely fashion.
Your budget needs to cover not just the testing. but the fixing.