Pen Testing, The Cloud, and You.
Penetration testing is a valuable part of the Information Security toolkit. Verifying that your on-premises environment can stand up to real-world threats is of absolute value. The relative value of pen testing has shifted as more resources are being moved into the cloud. As the network perimeter erodes and your dependency upon external entities increase, so does your attack surface and risk exposure.
There are four major points to consider in modern pen-testing initiatives:
People continue to be a weak link in the security chain. According to the 2020 Verizon Data Breach Incident Report, 22% of successful breaches involved social engineering attacks, while only 17% involved malware. Education, awareness exercises, and regular testing are the best defense against non-technical attacks.
Vendors will likely be outside the scope of your ability to test due to legal or regulatory compliance issues. According to a 2018 survey conducted by the Ponemon Institute, 56% of organizations have had a breach that was caused by one of their suppliers. A strong vendor management program that includes regular third-party reviews is a necessity.
Security by obscurity is no longer possible. Fifteen years ago, network scanning was considered a precursor to an attack. In 2009, a web service called Shodan was launched. Shodan scans and catalogs every IP address on the Internet, 24 hours a day, 7 days a week. If you want to find web servers running software vulnerable to the newest exploit, all you need to do is launch a search. Shodan is no longer unique. Your weak points will be found if you do not find and close them first.
The same automation that is empowering business is also being used to launch new attacks. Traditional signature-based defenses are no longer effective, as attackers can modify their technical and social campaigns in real-time complement. Leveraging robotic processes to simulate attacker behavior (robocalls, phishing, etc.) will yield more accurate results.
Vendors are now long-term strategic partners, rather than limited-time suppliers. Organizations need to ensure that these relationships are properly understood and can be audited. Regular education and awareness initiatives are required as a complement to the security stack.
As the perimeter expands, the scope of the security program needs to expand with it.