Pentesting is the First Step in the Cybersecurity Journey. Not the Destination.
Pentesting is the First Step in the Cybersecurity Journey. Not the Destination.
When it comes to cybersecurity, computer intrusion testing (commonly called penetration testing or pentesting) often appears to many IT managers as the miracle solution to cybersecurity fears. But is it really the case? And where does this perception come from?
What is a penetration test?
The computer intrusion test is a service usually offered by cybersecurity firms. During this test, a cybersecurity specialist puts himself in the shoes of a hacker who tries to attack your network to see how far he can go (take control of critical servers, access sensitive databases, exfiltrate data, etc.). At the end of the test, the cybersecurity firm gives you a report indicating the flaws and vulnerabilities identified in your network. Usually, this report also includes recommendations to correct the most serious weaknesses identified.
The intrusion test can consist of testing the systems accessible via the Internet (external pentest) or the systems internal to the network (internal pentest).
The idea of pentest is attractive and meets a real need. Still, it also creates a bias or a false perception, which leads some organizations to think pentests are the miracle solution to protect themselves from hackers.
We have heard statements like this before:
- We've been doing Pentests for three years with one of Quebec's most reputable cybersecurity firms. They can't get into your network. If they can't get in with their reputation, NO hacker can get into our network. We’re armored
- We do regular Pentests, and we fix our flaws. We are secure
- During our last Pentest, the Pentesters only found minor things, which is reassuring. This means that we are well secured
All of these statements are false assumptions. The worst part is that these false assumptions lead organizations to believe they are highly secure and to lower their guard. But when it comes to cybersecurity, letting your guard down can be fatal.
Tester experience and duration are key success factors
The quality of a pentest depends a lot on the level of expertise of the person testing your network and the time allocated to the test. To be recognized as quality, a Pentest must have been performed by a person with several years of experience (at least three years). He must also have performed several pentests (at least ten). The experience of the tester in the field is important because the more tests he does, the better he becomes.
Another critical factor is duration. An acceptable Pentest should take a week or two, excluding the time allocated to writing the test report. Don't forget that the hacker who wants to attack you has all the time in the world to develop his attack scenario and execute it. You must therefore give your tester a reasonable amount of time to develop attack scenarios.
What a pentest delivers
A pentest is a snapshot of your network's security that provides the following:
- Validates whether a hacker who tries to attack you in a time period that matches the duration of your pentest can gain access to your network or not?
- Gives you an idea of the potential impact if an attacker manages to take control of your network
- Idientifies the most obvious vulnerabilities and loopholes that a hacker might try to exploit if they attack you
What it doesn’t provide
- A guarantee that your network is completely secure against hackers. It should be noted that the results of a Pentest are null and void the day after it is performed. Every day new security vulnerabilities appear, and a major vulnerability that is easy to exploit can appear the day after your pentest is completed. A test performed the next day by the same pentester could give completely different results. So you have to see the Pentest as a snapshot with a very short validity period
- An assurance that all scenarios that a hacker could use to try to hack you have been tested. The pentester acts like a hacker and tries to get into your network using the easiest path for him. If he can't get in via a first method, he'll try a second, and so on. But as soon as one method gives positive results, he exploits it and will not try other methods. But there could be an easier scenario than the one used by the slater. Remember, the quality of a pentest is highly dependent on the experience of the tester.
- Confirmation that you cannot be hacked. The Pentest is performed for a limited period of time and the results must be put in perspective with this duration. So, if you do a Pentest for one week and the Pentester can't get into your network, maybe in 2 weeks, he would be able to hack you
- An inventory of all the security vulnerabilities in your network. The tester looks for the easiest vulnerabilities to exploit, just like a hacker would. If he finds vulnerabilities or loopholes that are easy to exploit, he focuses on them.
Misperception about Pentesting
Some organizations base their cybersecurity strategy on performing periodic pentests (once every six months or year). Once the vulnerabilities and flaws identified during the pentest are fixed, they consider themselves secure. This perception that one is secure after the correction of the vulnerabilities identified during the pentest is false for a number of reasons, including:
- A critical vulnerability that can be easily exploited can appear as soon as the day after the pentest, rendering the results of the Pentest null and void
- The limited time allocated for the pentest (1 or 2 weeks, etc.) does not allow the pentester to explore all possible attack scenarios
- One pentester may not be able to hack your network, while another one may be able to
Pentest should be seen as the starting point on your cybersecurity journey
As we‘ve seen, a pentest allows you to get a snapshot of the security level of your network. It also gives you an idea of the potential impact should you suffer a breach. Finally, it shows you the notable vulnerabilities and loopholes that the tester has found in your network and tells you what corrective measures to apply.
- The snapshot that the pentest offers you should be considered as the beginning of your cybersecurity and our end. You then need to ask yourself the right questions and come out of the with a clear action plan that will guide your cybersecurity strategy. Examples:
- If the pentester found critical security vulnerabilities from 2017 in our network, it’s clear that you don’t have a security vulnerability management process. Your action plan should include implementing a formal security vulnerability management process and regular vulnerability scans of your network (once a quarter, etc.)
- If the tester found easy passwords in your network, it’s probably time to create an identity and access management policy
- If no security alerts were triggered during the Pentest, it is probably time to equip yourself with intrusion detection/prevention technology and monitor your network security.
- And the list goes on
Pentesting best practices
- Ensure that the tester assigned to your Pentest has at least 3 years of experience and has already performed several pentests
- Never have your pentest done by a junior. The results you will get will not be representative of your situation. During targeted attacks, (very) experienced hackers are likely to attack you
- Periodically change security firms for your pentests. This allows you to have another point of view.
Finally, don't forget that a pentest is out of date the day after it is performed, so you should never let your guard down. Deploy protection capabilities, educate your users, have 360-degree visibility of your network, and monitor its security 24/7. This is the key to staying safe from hackers.
How can Streamscan help you?
Streamscan has a long experience in penetration testing in various fields such as Manufacturing, Pharmaceutical, Retail, etc. Our Pentests experts can help you enhance your security. We then help you define an action plan that will serve as a compass to define your corporate cybersecurity strategy.
We can also help you if you are looking for operational defense capabilities (outsourcing your cybersecurity management, 24/7 security monitoring, intrusion detection/prevention technology, etc.).
Need Help with Cybersecurity? StreamScan is Here.
Whether you need help conducting a security diagnostic, developing a security plan, or want to implement an MDR (Managed Detection and Response solution), StreamScan has experts with years of experience in cybersecurity who can help. Get in touch with us at smbsecurity@streamscan.ai or call us at 1 877-208-9040.