Prioritizing Pen Testing: 2021 Survey Results Revealed
The global chaos of last year was also seen in the digital world, as cyber attackers were seemingly relentless in their efforts. Such activity underscores the importance of penetration testing to assess and test security vulnerabilities, which allow you to better evaluate risk and be ready to detect, prevent and respond to threats as they happen.
Though pen tests continue to become a required part of cybersecurity and risk management, the role they play and the extent to which they are utilized can differ significantly from organization to organization. In order to better understand the full spectrum of pen test usage, Core Security conducted its second annual survey of cybersecurity professionals on the usage and perception of pen testing teams, services, and tools.
In this webinar, cybersecurity experts unveil the results, analyzing and offering insight on different pen testing trends and challenges, including:
- Pen testing frequency and scope
- Differences between internal and third-party testing
- If remote work affects pen testing strategies
- Implementing post pen testing remediation
- [Brian] Welcome to today's prioritizing pen testing webinar which is a sneak peek into our 2021 pen testing survey results. Thank you all for joining us! Before we begin, just a quick note that everyone will be muted during the session. If you do have a question, please enter it into the questions toolbar that you'll see via the go to webinar application. We'll try to get to as many of those questions as possible towards the end of the session. We'll also be sending out a recording of today's session following the webinar. With those notes out of the way, let's go ahead and get started. I am Brian Wenngatz general manager at core security and I'll be acting as the moderator for today's webinar. I have with me Chris Reffkin, who is our chief information security officer at here at help systems and also Bob Erdman who is associate director of development for Core Security. Thank you both for being here today and sharing your expertise with regards to the trends and challenges that we're seeing with penetration testing. Bob, can you give a quick introduction of yourself?
- [Bob] Sure. Thank you, Brian. My name is Bob Erdman and as part of what I do here at Core Security, I oversee our teams that work in our authentic and defensive software solutions. So everything from pen-testing and anti-virus, to SIEM and vulnerability management.
- [Brian] Great. Thanks Bob. Chris, can you give a quick introduction to yourself?
- [Chris] Sure thing, Brian. Again, my name's Chris Reffkin and I've been in security industry for about 15-20 years. I actually started off doing penetration testing myself so external pen-testing, internal pen testing, web apps, social engineering all kinds of fun stories related to that. Here at health systems, I oversee our security program that not only covers our employees and our customers, but also our services and products globally.
- [Brian] Great. Thanks, Chris. So before we get into the actual results of the survey, I wanted to just quick provide everyone with a little bit of an overview on the survey itself. The objective of this survey was to present an accurate picture of how penetration testing is utilized by different organizations and to provide insights about the effectiveness of ethical hacking strategies. Now, this is the second annual survey and we had nearly 300 cybersecurity professionals around the globe participate in this survey. This was a comprehensive online survey and the respondents represent a diverse cross section of industry, company size, job level and region. And as you can see, it was truly a global survey with about 44% of respondents being North in North America and a other 29% in Europe. So Chris, why don't we have you kick us off with reviewing some of the actual results.
Challenges of Penetration Testing
1. Getting Others to Act on Findings
- [Chris] I'd be happy to. So getting started here, what are the challenges for everyone's pen testing programs? Starting off, 50% getting others to act on the findings. This is somewhat surprising. This is really where the rubber meets the road, where you really realized the benefits of performing that pen-test. The pen-test is going to give you a nice report at the end of the day, but then the question is, what do you do with those results in that report in order to affect your your risk posture. And reflecting upon preparing for the webinar and the results. You know one of the things that comes to mind, I know when I worked internally here at Help Systems, before we engage with any third parties or do any type of work, we, we already start to talk with the other stakeholders and, you know, make people aware that these things are coming down the pipeline, making sure that they understand that this work is coming, and make sure they also understand the impact of this.
2. Finding Candidates With the Desired Qualifications
That way, they could prioritize this and their work streams not having enough skilled workers or hiring enough skilled workers. You know, that one's also a little bit tricky and wondering what folks are looking for? Are they looking for a full-time pest pen-tester? Are they looking for someone who's doing it part-time? And then they also want them to be a windows admin or a network admin on the side, instead of a fully dedicated security engineer. Based upon how we write our job descriptions I'm also curious about the shortage in the job market. Is there really a shortage, or are we looking for too many unicorns, if you will, to have too many, perfect matches for the roles that we're looking to fit here broadly as a security industry. The third party one I thought was a little bit interesting that there's a pretty substantial number of folks saying they have a hard time struggling to find qualified third parties to perform pen testing. And I'm wondering if it's a bit about the maturity of the pen test provider industry, as opposed to 20 some years ago when you signed up for a pen test and that was it. And then I'm wondering if today the traditional network-based pen-test is a bit commoditized and that you can do rather rapidly and pick off the shelf. But for things that are specialized, whether it's a SAAS solution or a cloud based solution, whether it's a specific web app, whether it's product testing, whether it's, you know, an apt or ransomware type preparation exercise, I'm wondering if the specializations of the requests as opposed to what the third parties are able to offer or provide are completing here. A particular issue in the industry of what folks demand versus, you know what's available.
3. Getting Executive Sponsorship
The last observation here, getting executive sponsorship. I think this one really comes down to understanding you know, what do the executives understand is the impact of the results? And maybe it's not simply, bringing them in at the end when you have a pretty report but explain, the overall process, you know we're gonna engage with a third party, do pen-testing or we're going to do pen-testing internally. Here's the potential ramifications. This is the support we're gonna need all the way through the line. So we'll get them engaged. And I find that executive engagement actually it gets pretty low level when they're interested and if we can tee it up to make it relevant to them, I think there'll be potentially more executive sponsorship available down the road. So with that, Bob, why don't you talk to us a little bit about security posture.
Confidence in Security Posture
- [Bob] Sure. Thank you, Chris. So in, in our survey, surprisingly 93% of our respondents are at least somewhat confident in their organization. Security posture, and pen-testing plays a big role in that with the confidence for most organizations, you know with over 90% of respondents, noting that pen testing was at least somewhat important to their feelings about that security posture. Now the 44% of respondents saying that they're highly confident, might be sliding down a little bit as we have seen some of these latest breaches around MSX change. And with some of the other things that are starting to pop out these days, we always want to watch out for that overconfidence in what we think we've done. We see that as a common issue in the cybersecurity field.
2. Communicating With Leadership
A lot of times, especially when we look at the challenges that Chris noted, 50% of people are struggling to get someone to act on the findings that they have. And over a third are struggling just to get executive sponsorship. As you mentioned, some of that might have to do with communications about how serious some of these uncovered security weaknesses really can be. Sometimes we'll see a mismatch between that and then how important the pen testing is seen to be inside of the organization and how much priority is really given to the findings. We don't want to go through all of the pain and expense to generate a pen test and then not have somebody take the findings that were identified and remediate those issues to extend our security posture and help put us in a better place. We also sometimes see there's a misunderstanding around the differences between pen testing and vulnerability scanning and what happens in a lone scan, which is different than what happens in an actual pen test engagement.
- [Brian] Thanks Bobby. I also found that 40% - 44% confident, response really interesting. I think that most people would agree that it's pretty clear no organization can be truly a hundred percent sure that they are absolutely secure. Bob, what would you say? Do the results say it's the biggest security risks organizations are actually facing today?
Consistent Security Risks
1. Phishing, Misconfiguration & Poor Passwords
- [Bob] Brian, phishing misconfigurations and poor passwords have remained consistent year over year as the most common entry points that people have identified. Also, pen testing is a desirable way to help test for those risks, especially related to things around possible user errors. And about 30% of the respondents were also concerned about lost or stolen devices and orphaned accounts. You know, as we kind of slide down that list a little bit and these results aligned pretty closely with what we hear daily when we talk with customers out there in the field compromising credentials, though phishing still seems to be the most common and effective way for an attacker to gain access to systems. And in general, it's a pretty cost-effective way for them to go after somebody and tools can definitely help prevent some of those issues with identity governance tools for stolen accounts or orphaned accounts, but many of them have to be solved through training and showing the importance of retesting to the executive teams to make sure that these efforts are effective. And if we see more issues arising having additional training within our organizations, you know our users are really our last line of defense.
2. Inadequate User Training
If they get a phishing email that gets through our spam filters, we have to have them understand not to click on things, where they shouldn't be, and organizations, you know, in the survey appear to have a pretty even balance for why they pen test. About 75% of them reporting they do this for vulnerability management programs. So more often now we're seeing people do that. Risk-based vulnerability management where they're trying to extend those things, not just checking off the scorecard, but how risky is this to our org if certain things are compromised. 73% for just measuring their overall security posture and then a pretty big chunk for compliance external mandates. So GDPR, CMMC, PCI, all of the different regulatory frameworks out there and many organizations are pen testing for multiple reasons. And that's probably why we saw such a high percentage. Seeing that pen-testing was at least somewhat important to their security posture. And Chris, you know, you're doing this on a daily basis as our CSO. What are you worried about? And, and why do you pen-test when you do that?
3. Lack of Good Fundamentals
- [Chris] So I think first and foremost for me is security. In order to have a mature security program you have to have good fundamentals. And so to, to reinforce that or to measure that it's really a measure of process and it's not necessarily technical vulnerability per se but is the patching process working, is training working for phishing. Our policy being applied effectively, a good side benefit of pen testing, is that you can you can have a real life. In our incident response exercise, if you keep your IT team in the dark up to a certain point and you execute a pen test, how long have you before they detect something suspicious going on the environment before they escalate to a certain point. And of course you have the head of IT or the CIO mover aware. So it stops at a certain point, but you can have real life tests of these processes and understand where you need to tweak and tune. You know, anybody can go out and apply patches on a schedule, but having that repeatable process in place so that the program is continually improving itself a little bit day by day that's that's where I see some of the benefit of of pen-testing is again to reinforce the processes and how the teams work in order to either maintain the environment or to respond to an issue that's potentially detected in the environment.
1. Impact of Regulatory Compliance
- [Brian] Well, one thing we wanted to dig in further into is the topic of compliance and Chris I'd love to hear your perspective on that topic. Regulatory compliance continues to be growing in demand on security teams. And just curious to hear what, what you feel what the impact of compliance has had on that growing demand for pen testing.
- [Chris] Yeah, I think the 99% here is surprising to me. This is another one that surprised me, how much folks rely upon pen testing to evidence something related to compliance because not all compliance programs have a pen test requirement per se but a pen test in and of itself can be a good measure of a risk management practice can show regulators that, Hey look, we are doing something. We're taking security seriously. But it can also over time show your improvement and it's very, very simple to show your improvement. If you have gone from year one and let's say you have 30 findings, year two maybe you have 25 or 25. You can kind of show your improvement over time one and you can also show that you've remediated issues that were previously identified and that all feeds well into to most all standards or regulatory requirements related to security, even if it's not a pen test specific check box. So again, it's an easy way to show that you're making progress from sometimes a more opaque or vague requirement while giving the it and security teams very tactical things to work on in order to improve the posture of environment. So to me, I think it's it's great to see that folks are using pen testing and not only willing to improve their environments, but also to evidence their compliance activities.
- [Brian] Thanks Chris, let's transition a little bit into phishing. Bob, you had mentioned earlier that phishing continues to be one of the most effective ways hackers gain access to systems. Can you delve into that aspect of pen testing for for phishing a little bit more for us?
1. Training Users
- [Bob] Sure. Brian, so phishing attempts are nearly impossible to remove from every inbox and they're a really incredibly common way for attackers to gain access to employee credentials. Then of course, after that an organization systems and as we mentioned earlier, 79% of our respondents noted that phishing was a top security concern. So I think, you know, on the good side that really indicates that organizations are very aware of the risks that this attack vector poses to them. And when we run phishing simulations, we do that to see what kind of phishing emails are tricking our employees who might be susceptible to them. Those are social engineering pen tests, essentially. That's why they are really valuable tools for education and awareness, which are the primary prevention methods with those types of attacks. And over 35% of our respondents reported that they either only annually or never run phishing campaigns. And I think it's a really valuable tool and it's worth reiterating the importance of the retesting aspects around this particularly with phishing when we're trying to move forward, our education and awareness as our primary prevention methods, you know we don't want that info to get stale in people's minds. We want to continually be probing and reminding them of what can happen especially now in our work from home world. You know, because now you might be getting a phishing on your personal email, not your corporate email because you're using that same computer to now connect in and do your day to day work and your job for your organization.
2. Directed Testing
I think there's some good news in this as well though. And that's when we compare looking at last year's results we're seeing a shift starting to go up and how many organizations are conducting these simulations on a more regular basis. And there's some different reasons why organizations can run these phishing simulations. And, you know, if we do it inside of a plant pen test it's going to look a little different than if we're doing it as part of a larger training exercise. You know, what are we going to be using as the types of campaigns that we want to run? And how do we want to structure those? You definitely want to have some rules around it. You know, don't just jump off and send a meeting from the CEO. Cause you know, everybody's going to click on it and you're going to get a great score because you can cause some, you know internal damage and things around that. It's just not always a great idea. You want to be sure that you're careful on what you're testing and how you're training people because we don't want to become adversarial with them. You know, we want this to be an educational experience and then we want to take some action on the results. And Chris, as an it leader, I think I'd like to get some comments from you on how do you handle, you know what happens inside of the test? If somebody fails once or three times, you know what do we want to do to help retrain them and bring them back into the org properly?
3. Educating Users
- [Chris] Yeah, I think one of the things I was chuckling about listening to you talk about was, you know the email from the CEO and anyone can craft a well disguised, you know, phishing attempt, a phishing email, whatever may be. But I think the point is very much home that it can be personal email fake. It can be LinkedIn. I'm seeing things through LinkedIn these days directly that are clearly phishing or otherwise suspicious activity. So phishing is not isolated only to corporate email or business email. And so understanding that any anyone can craft something that can get somebody to click on it, you know, that that's, you know at least my thought process there and using the test as a point of awareness, not as an a "gotcha", like this can happen. If we all don't slow down a little bit we live in such a rapid world these days everyone's quick to respond, you know take an extra minute to slow down check the message, check the links. Does this really look like it makes sense. And if you have any doubts, you know, you confirm out of band to whomever is the potential sender here. You know, some additional training if somebody has clicks I think is always positive. Sometimes even a quick one-on-one conversation as opposed to a formal slide deck presentation could do a greater benefit.
4. Addressing Repeated User Error
I'm not a fan of the more punitive actions, such as termination and other types of formal letters and someone's in personnel file or anything like that. Again, just based upon, the fact that anybody can be tricked, but if there's a malicious pattern there, that's something different, but if it's pure innocent clicks and things like that you see, then you need to bring that awareness and help employees understand what the impact can be. And it's not just that at work it's also at home in the personal lives. Another way to look at this too is competition. If you can build some competition and use it to foster a security culture where you have teams compete against their scores for a quarter or over a year, maybe there's some swag or some other prizes for the teams with the best scores at the end of the period two or three teams that are winners. I mean, that's the way that you can get folks engaged that are doing security work and evaluating emails for risks, but they're not thinking about it. They're thinking about a game, how to beat their buddy or the coworker to get a gift card or a prize and a reward as opposed to thinking that I have to go back to my annual security training to remember how to check these emails. So that could be another way to consider how to engage folks to handle, you know any failed attempts doing phishing testing.
- [Brian] Okay. Thanks, Chris. I have to admit that I have been caught as well, probably from just going too fast that you mentioned earlier. So certainly I think everybody can be tricked here. Let's transition a little bit into frequency, right? So Chris, right? How often should we pen test? Right. Can you provide a little insight into what the industry is and what your thoughts are on frequency?
Frequency of Pen Testing
1. A Minimum of Once Annually
- [Chris] So I would say by and large standards is at least annual I'm a little surprised that there's 15% of organizations, or at least respondents that said never given, that we have 44% of respondents saying that they're confident in their security posture, but 15% of organizations never do pen testing. So to me that seems a bit of a disconnect there but in general, at least once a year is a good benchmark or I'd say the minimum requirement. Now, I think it also depends a little bit upon the maturity of the organization and the scope and objectives for the pen test. Cause there's not a, just a one size fit all. So let's say you have a traditional external penetration assessment. So a traditional network-based pen test on your network perimeter something like that's fairly lightweight. You could do that quarterly as it won't or shouldn't add much overhead, but something that will give you insight on your network perimeter, or at least your traditional network perimeter and an internal pen tests is going to bring a lot more work to not only the pen test teams also have higher value and higher dollar costs, but it's also more likely to bring more work to your security Nike teams for remediation depending upon how wide and deep that internal team is going to go up. So maybe that one's only once a year, potentially twice a year. Again, if you can isolate scope based upon your architecture and your overall organization. So there's different ways to break that up but then also thinking strategically of what are the greatest impacts to data within the organization because that's really the focus, right is what data do you have, where it's at and with data it could also be services if you're a service provider.
2. Frequency Depends on Resources
So are you focusing on your proverbial keys to the kingdom, those systems and maybe there's some dedicated or focused application pen testing you need to do, or something on a cloud hosted services. If you're a service provider and focus testing efforts more deep dive, testing, extra efforts on those while you have the traditional checks around the perimeter but really hone in on the data repositories there. And I think it really also comes down to making sure that you're clear with your provider, you know the rules of engagement, how far they're going to go and how you're going to address those issues as they're raised and understand where does this fall in the queue, you know in collaboration with it and security making sure that, Hey, we might have things come up that we're going to have to get on top of right away. Let's let's plan for this. So again, going back to, you know, getting 50% of folks struggle to get others to act and results get them involved from the beginning have them help with scoping. And if there's known issues don't scope those known issues out, but rather address them. And you'll still have a valid test as opposed to worrying about something that you can't address because the business requires this deprecated a system within your environment. Well, if you already have a known issue, well maybe you do some work before that pen test to isolate that system could properly protect it. And then you execute your pen test. And then there you go you'll have a more targeted set of results as opposed to things that the it team is going to roll their eyes at because you test once or twice a year and they keep seeing the same findings over it but they can't do anything to address it.
- [Brian] Thanks, Chris, let's transition to a little bit about pen testing strategy, Bob and we've talked a lot about my organization's pen tests but we really haven't delve much into the strategy on how they're doing. So what did the survey results tell us on how organizations are actually conducting their their pen testing?
Pen Testing Strategy
1. Internal vs Third Party Teams
- [Bob] You know, and there's really a couple of different strategies being used. One is to have an in-house team of employees conducting this kind of testing and the other is outsourcing it to a third party provider. And of course, you know we see people also doing the hybrid having an internal team and then also on targeted occasions, you know using those external sets of eyes. I think it's really noteworthy the increase in the number of respondents this year that have an internal pen testing team at their organization. This came in at 56% which is a 14% increase from last year survey. You know, and this looks like it may indicate that more organizations are investing in their own pen testing teams. So they don't have to continue, continue to just rely on those external third party services. And while third party testing teams are often required for complex tests or verifying compliance, you know these in-house teams are able to consistently test and ensure that compliance and security are maintained continually throughout the year. And of those that don't have those internal pen test teams in place. You know, we saw some varying responses from not enough need to a lack of funding and lack of executive sponsorship up there on the top not enough need at, at nearly 50%, you know that just may be around the size of the organizations but just because you're small doesn't mean that you aren't a target.
2. Strategy Depends on Infrastructure
You know, it's really very much about what your infrastructure has, what kind of data you hold and who you're interacting with is is much more important than just that I'm small. So I don't need to do this. And when we're looking at, at these other things you know, there's, there's other different reasons to have those internal pen test teams. You know, maybe people are seeing themselves at an elevated risk of attack based on things that are happening in the industry that you're in or maybe your infrastructure is growing and changing frequently. So there's constantly, we're seeing new assets coming up maybe new web applications being deployed that need to be verified and validated. So maybe you're not doing a full network pen test every month, but when you spin up a new web we want to make sure that we are testing for security weaknesses in that web portal because that of course is a gateway into our data and into the rest of our organization. And then sometimes of course, it's just compliance issues. You got one or maybe more regulatory frameworks that you operate under that need a high degree of testing and reporting. You know, we see continuous pest pen testing is much more frequent when you're using in-house teams. You don't have to call out to somebody. You don't have to get on a schedule burn through statements of work, and then set somebody off. You can have people continually testing different areas different segments of the environment over time. And we see that generally the more mature and larger organizations have those resources built in. And I think that's where some of the scale comes from is some orgs are just larger and they can handle more of those types of things as they mature through their security life cycles. There's definitely things to watch with internal though as we're doing this and I'm Chris I think it'd be great to hear from you some of the risks that come along with those in-house pen testing teams and what we have to watch out for with our own employees doing this kind of work.
Risks of In-House Pen Testing
1. Leadership & Rules of Engagement
- [Chris] I think first and foremost there needs to be someone who can be an effective manager of that team going out and hiring, you know two or three folks that have skills and background they'll still likely need direction and guidance on what their rules of engagement are and making sure that management is aware of their work and making sure, again communication it's a two-way street here. And so it would be hard pressed to say that go hire a team of three folks to do internal pen testing. And there's not a manager that can oversee them from a day-to-day standpoint and they're kind of off on their own. And you know, there's a, there's a potential, you know malicious element of it, but it's more so of effectiveness. What are you going to get out of the investment to this team? If you don't guide them on a day-to-day basis on what you expect them to test how do you expect them to test it? What the results should look like? Another piece to consider is not only customer data which all employees, presumably under confidentiality clauses and things like that. But what about employee information? So depending upon the size of your company, you know they could stumble across employee evaluation data. They could possibly stumble across payroll data based upon the work that they're doing. So having clearly defined scope of work for the internal team or rules of engagement and where they can go, where they can't go. I think it's something to really spend some time up front to think about what alone, the alerting and monitoring you have for those systems in place from your traditional NOC or SOC that you have internally making sure that there there isn't a necessarily uncomfortable situation created depending upon the size of the company.
2. Setting Parameters That Fit Your Organization
You're a top 10 bank and you have tens of thousands of employees and you have a team of, you know somewhere 30 to 40 folks that do security operations that will work like this. That's likely to be a less of a risk but you're a smaller organization. And your pen testing can be sitting in a cube next to somebody that they just stumbled across their email information, or you stumbled across some otherwise sensitive HR data that that could change the workplace dynamic. And you could have a potential issue with that. The other, another piece of consider too is the skillset and the duration of the test. So you could schedule a let's say an internal team to do a particular scope for 30 days. They can, they can Mack on one particular objective for 30 days to see what they can do. But depending upon the skillset, again you could have reduction in and reward for that time invested. Versus if you hire a third party to come in, they can hit on a target for maybe two weeks and have some output. But whereas you have the internal team they could just keep going and going and going until they finally say that they're exhausted again going back to the rules of engagement and the proper oversight that you put, not only scope parameters on this, but time blocks on this as well. So you set expectations up front, you you have two weeks to go after this one. You don't have six months. Cause then part of the internal program you would need to think about is that not only objectives for each particular task that the team can perform but also the objectives for the course of the year. And then you time block that with availability and obviously P teams are going to take vacation and things like that. And so you need to think about what the ultimate accomplishments are, so that when you go back to get that executive sponsorship that buy-in, you can show the ROI of that team and show the organization how you're positively impacting risks. So there's lots of different things to consider there.
- [Brian] So Bob Chris said touched a little bit on the structure of these in-house testing teams for those that have internal teams what do the results of the survey review goal in regards to how they're actually structured.
Structure of In-House Teams
1. Size, Industry & Business Operations
- [Bob] Overall we're seeing that teams remain small in the number of people that are assigned to them with over 85% of our respondents are putting five or fewer dedicated team members. And it's possible that some of these teams are also being assisted by personnel that, you know maybe have some tasks as part of their other duties that are augmenting these pen-testing teams but they aren't really considered full-time team members like a security focused IT guy or or someone who might be doing some of this work as well. And additionally, we do see other organizations may just be performing pen-testing activities but don't really have teams dedicated to that purpose where they may not have checked that block. You know, 37% of our respondents reported that their staff has three years or less of experience with pen testing. And we see that really aligning with the ongoing skill shortage in the cybersecurity field in general there's just not enough professionals to go around. And those that do exist can be very expensive to pick up and retain. And when we look at when we should have an internal organization doing their own pen testing, you know we have some different things to consider, size of industry, maybe risk or revenue to the organization. And more and more often, we see this as being a risk related decision that has to be made as we look at our business operations instead of just looking at the size of our organization or the industry that we're in. And we touched on that a little bit earlier as well.
2. Long-Term vs Short-Term
It's important to consider that also if you want or need to have these skills longer term, you know if you look out one year, three years, five years are you still going to need these types of skills inside of the organization? And that may help make that decision as you, and, you know kind of peanut butter spread that cost out over time. Are you better off having some internally skilled people that can do some of this work? One of the industries that we see often being overlooked is manufacturing and it's important that we want to be testing our products throughout our development processes. So if I'm going to drop out a new widget, you know more often than not these days there's some kind of integration with it network SAAS based application to control it from your phone. What have you. And all of those are the things that we need to be considering as areas that we need to pen test inside of our products. You know, just not even thinking about SCADA and ICS and industrial controls how might somebody get access to my manufacturing floor to mess with the machine or get access to my HVAC to mess with our industrial controls and maybe shut down a factory for a time being and the kind of revenue impact that those things can have. I'm not even considering into the safety aspect of it and what can be done as damage inside of our organizations.
- [Brian] Great. Thanks, Bob. What about third-party pen testing, obviously not all organizations have decided to invest in in house team or, or necessarily have the the resources to invest there. What did the survey results show with regard to the third-party pen testing service providers
Third-Party vs In-House
1. In-House Teams May Catch Vulnerabilities Faster
- [Bob] The frequency of conducting those third party pen-tests align pretty well with our overall testing rates that we saw in the survey with the majority of respondents only using pen-test services annually you know, third-party teams are heavily used when a pensioner penetration tests are conducted, though with over 66% noting that they use some kind of third party teams for at least part of their testing efforts. And ideally, you know, organizations utilize both in-house and third-party services. Those internal pen testing teams are great for ensuring and standardized testing. As Chris was talking about, where's your block of objectives? Where's your block of time? We finished that block and we move on to the next one just like we're continually looking for missing patches and we're continually looking for, you know misconfigurations and those different things as our it environments are constantly changing. Those small mistakes can really open up an attack vector that, you know you may not think that patch is a really big deal to CVSs score is not that high but if I can compromise it, where can I go now, as I pivot into the org and having those ongoing tests from in-house teams can uncover these security weaknesses faster.
2. Third-Party External Objective Mindset Offers Fresh Perspective
Then we can pull in those third-party experts for providing different skillsets, alternative views different sets of eyes to look like the way different threat attacks might come from different threat actors, respondents frequently cited that external objective mindset as a reason for why they utilize those third-party test teams with a 63%.The desire for having that fresh perspective may also help explain why organizations frequently change those third-party teams with over three-quarters indicating that they shift to a new team every two or three years. And it's not mandated that I seen by any real specific compliance requirements but rotating those teams between at least a couple of firms is usually considered to be a best practice bringing in that different set of eyes. Again, your internal team to your external team. You may have an external team that's super skilled at certain areas or they have different ways that their methodology works and having that ping pong to another third party vendor. Now it brings in a different set of eyes a different methodology thinking like different attack groups and can uncover things that the other team may have missed just because of how they do things.
- [Brian] Thanks, Bob. So let's talk about remote work, right? What, what's the majority of organizations shifting most of their employees to remotely base? What kind of impact did that have on pen-testing?
The Impact of Remote Work
1. Extended Network Perimeter
- [Brian] COVID-19 really impacted organizations in every industry and depending on how your business was structured, you know it could have been in different ways. One of the most common of course was the huge shift towards remote work. This increased our attack surfaces, you know it extended our network perimeter and it presented us with a lot of new cybersecurity challenges. And many organizations had to make this transition really rapidly, which, you know, add a lot of ways that things may have been overlooked or we're going to do it quick to get things going and then we're going to come back and maybe we forgot to come back and do some of the things that we would normally do if we were deploying people internally, you know not everybody was in an org where users are just sitting there with a laptop and they could say don't come back tomorrow, keep your laptop at home. You know, people were using personal machines they're trying to get on their home wifi and not every organization, you know really provided a lot of guidance to their users on how to best protect themselves. Now in this remote work climate that we're in it is encouraging to see that the most increased emphasis was on network security tests. You know, given how many remote connections a lot of organizations have. You know, this is really a good thing to be taking a look at and verifying and just making sure you know, what you have we're potentially opening up more portals to our org than we used to have because we want to make it easy for our remote employees to do their job. And we're starting to see those threat actors shifting their priorities to take advantage of these new things, focusing on VPN connections other types of network attacks, you know everybody has been reading about the big new issues with the exchange compromises and running these external tests to check our perimeters is more and more important. Now over time. And Chris, from your perspective, you know, on the CSO side what are some of the things that you've had to deal with now with this huge shift to remote work in the last year?
2. Visibility & Trust
- [Chris] I would say a couple of things that are top of mind. One is visibility. You know, depending upon the tool sets you have visibility it may have gone dark for for your organization. And some of the peers I speak with that's been one of the larger challenges not only from a support standpoint, but Bob as you mentioned, you know what's connecting to my network now, is it a corporate PC? Is it the home PC? What what's sort of happening there, traditional management you know, it administration traditional it management you know, there's a greater focus on kind of the would say modern approach for administration, as opposed to the traditional or legacy where you need to be plugged in on the network to get your updates. You need to be plugged in the network to get your AAV updated or to get the GPO question or whatever it may be and understanding what what does modern it administration look like in in a highly remote workforce? Another area is trust. And I think this one is a little bit interesting in that lots of questions have come up that I could not have envisioned that would have come up. But one of the things that that you do see is not only are people working from home but they're also working from alternate locations and they're maybe working different hours and there might be accessing new systems that you're also implementing while everybody's remote. And so to have a trust model that again matches kind of a legacy mindset of everyone's going to be in the office from eight to five. And if you log in from home at 11:00 PM, that looks suspicious. And so we should raise an alert. That's not necessarily the case anymore not to say that's right or wrong from an employee work culture perspective, but more of just a fact from a monitoring and it environment. And what does that look like today? And so those areas definitely play into thinking through what does the future hold?
3. Reinvent Practices, Rather Than Take On-Prem Norms to Remote Work
The phrase hybrid is definitely overused. I would say, however, it seems to be more of a stepping stone than a destination. Now you can see it post Solloway wins with Microsoft's guidance and Cece's guidance and everything is try to get everything to the cloud get rid of on-prem, you know, rely upon, you know greater infrastructure than you can possibly maintain and could see that there will be a duration of focusing on hybrid quote unquote model but then once everything's modernized in the cloud then you can have remote employees completely disconnected and basically over the wire, update them through an agent. And that's it. You don't have to worry about traditional joining the the device to a domain, even though that would happen through pressor and processes and things like that. But, you know really kind of thinking about things differently not trying to take traditional on-prem to the re remote workforce, more of just thinking if I'm a blank whiteboard, what do I need to get done? How can I get it done? And then execute on that as opposed to trying to lift and shift has really been a topic of the conversation I've had, not only with my peers here at HelpSystems systems, but also with others as well, that in order to, to move forward, the more that we can think about the modern setup of an it administration, which at the end of the day, there's gonna be a tremendous amount of overlap between it administration and security needs the easier it's going to be for everybody, the more agile everyone's going to be able to be, and that's, it's gonna be less overhead. And, and hopefully it's going to be less risk for for all of us as well.
- [Brian] Thanks, Chris. Let's let's shift and talk a little bit about pen-testing tools. We had mentioned earlier. I think everybody knows there's a big skills shortage in this space and organizations have, as a result had to lean more on technology to help Bob can you share a little bit about the types of tools that organizations are using?
Pen Testing Tools
1. The Overlooked Need For Good Reporting
- [Bob] Sure nearly all of our respondents indicated that they use some type of penetration testing tools 65% noting that they used both free and paid tools and services. And this falls in line with, you know a very common practice of multiple tools to meet different needs of what it is that you're going after and using a combination of both those open source or free tools. And the commercial tool sets aligns with the 69% of respondents that indicated cost is really an important consideration for them when they're out choosing their toolset and using this big variety of tools also appears to be a practical solution. You know given how important the different features were when people noted how they're evaluating these tool sets there's a wide range of features that respondents considered important depending on what it is they have to doing. When they're looking at these pen-testing tools, you know among the most desired of course were automation, capabilities, testing templates big libraries of threats that they can go after it. Multi-vector testing capabilities, so, network, client, user side web application, phishing, wifi all the different things that might be out there, you know bubbling up to the top was reporting the 71% of respondents listing it as a really important feature that could be due somewhat to compliance. But, you know, often everybody knows that the testing is fun. The reporting is hard and being able to keep up with things as you go and build the reports can be pretty time-consuming and getting maybe engineers that are really good at the keyboard to also be really good at writing in executive level summary so that you can bring that data up to the executives. You know, that's not always a great match there and good reporting inside of your tools can really streamline things considerably when you're doing tests especially if you're doing them on a regular basis.
2. Importance of Delegation for Experienced Testers
We also see pen testers across the industry that really liked their different tool sets. Oftentimes, we see those tools move with the testers more than the organizations deciding, you know, Bob you're going to go use this. I'm going to find what I like. I get really good at it. If I go to another organization more times than not I'm going to take the tools that I like with me and start to implement them implement those now at my new org. And it's important to keep in mind that those human elements of pen testing, can't just be replaced by tools. You know, we like our pen test people to be able to think outside the box, take over different tasks over time you know, use that brain power to think about how an attacker might compromise us and maybe not use that brain power so much to go out and perform fingerprinting on 10,000 systems inside of organization. So, you know, having integrations with other tools sets tools that can work together, different vulnerability scanners different reporting solutions can really help a lot then where we can. We even want to be able to automate some of these processes. So use our testing people wisely. So rather than having them do some of these mundane tasks are the things that we can automate and allow them to be done much more efficiently for our experienced testers and be able to do that so that they can focus on bigger and better things or maybe be able to hand some tasks down to some of those more junior testers from that earlier slide where we see the level of experience being so much lower you know, giving them ways to more effectively do their jobs with that mentoring ability of the people with much more experience. And I think that's where we, I really love my favorite tool you know, core impact where I have built in reporting. I have built in automations, but I also have that manual control where if I to do specific targeting I can do that as an experience tester. But if I want to hand off to my junior guy just go out and fingerprint this segment of the network for me and get that out of the way so that I know what I'm going after as targets they can be taken on those responsibilities, you know using built in automations and workflows that, you know point them in the directions that they need to go. And Brian, I think this is all we had for a results survey slides today. So I'm going to pass that back to you, I think.
Q & A
- [Brian] Yeah, thanks. I appreciate the core impact plug there at the end. Thanks Bob. At this point, we're going to shift to the Q and A portion. It looks like we have had a couple of questions submitted already but if you have any questions please feel free to submit it in the questions tool bar now and we'll try to cover as many as time will allow. So it looks like there's been a couple of questions on if the results of the survey will be made available in in some form or fashion. And the answer is yes, we will be sending out a copy of the survey results to all the registrations set to this webinar will also be a link to a recording of the webinars as well. So look for that later this week. Okay. Let's see some other questions. We've got a question. Maybe Bob, you can take this one. What safeguards do you need to have in place to make sure ethical hackers stay ethical?
1. What safeguards do you need to have in place to make sure ethical hackers stay ethical?
- [Bob] Yeah. Thanks Brian. That's a great question. And I think Chris touched on some of that, you know earlier we really want to as we turn up these engagements, you know have some definition around what it is we're going to do where we're going to do it, and who is going to be overseeing this process, you know, from a managerial or project management type of a side from the systems. So getting a defined statement of work type document together, whether or not you're using an internal or an external team is going to allow you to define what the rules of engagement are. So what systems am I allowed to target? What systems do I have to stay away from? Because I can't knock down maybe a critical service inside of production, or I have to do it at a certain time window. And where do I have to stop? You know, Chris mentioned something about, you know I might be sitting next to the person that I just found information on. You know, when do I have to stop now? You know, tell management, Hey, I got this far, I got to the employee payroll sheet. You know, I didn't open it because I'm not supposed to be doing that. I'm just supposed to tell you that I found it. You know, those types of things are critically important. And let us define, you know, what type of testing that we want to have if we're going to be effective with our time of course, you know, we need to have some kind of oversight someone who's going to get these results and bring them up to management and make sure that they're acted upon in an effective manner. So being able to manage the time around these test. Especially critical if you're paying for somebody external because of course you're going to be paying them by the hour most likely, or if we're on the internal side, you know, as Chris mentioned we don't want to just set somebody off for six months and say, see what you can find. We want to give them some objectives around our critical systems and expanding our scope then wider and wider to make sure that we're effectively using their skills and capabilities.
- [Brian] Great. Thanks, Bob. Looks like another question just popped in here. The question is, and maybe Chris I'll give you a heads up on this one. Maybe you can take this. So what is your thought on continuous security testing. As we mentioned many companies are asking people to work remote will continuous assessment keep the network safer from those home devices?
2. Will continuous assessments keep the network safer from home devices in respect to remote workers?
- [Chris] Well, I think it depends upon the scope here about continuous testing. I think what maybe the subject of the question is getting into is, you know how are you monitoring all the end points that are remote and no longer being connected that actually might bridge the gap between in testing and more monitoring type solutions whether it's endpoint protection solutions whether it's an MDR type solution but having more visibility about those systems in place because you have a remote worker it can't really pen test the remote worker, however on the corporate infrastructure, if you will, wherever it's at a data center anything that you have in the cloud, I think anything that you can do to more regularly assess those. I think that that makes sense, whatever that monitoring whatever that testing looks like. I think it definitely does make sense but without knowing your environment and the type of data you have and everything that's hard to put together a strategy for it. So I would say first and foremost, just follow the risk follow the data where it's at, and then use that to inform and set a schedule of how you're going to test. And maybe the testing, again, isn't specific pen testing but maybe it's a different type of vulnerability monitoring of certain assets.
3. What are best practices when it comes to selecting the right vendors to work with?
- [Brian] Right? Thanks, Chris. I'm going to pick on you again here. Any best practices for selecting the right vendors to work with and ensuring it's not just another vulnerability scan. That's a good question.
- [Chris] So first and foremost, I'd say you're you're hiring a team, not a company. So the companies they're they provide the insurance and the overhead and all that. Of course they provide the employees but at the end of the day that's going to be the team that does the work that is going to provide the benefit to you. You can work with two different teams from the same company out to you, vastly different results. So first and foremost I would encourage you to interview potential team members that would be testing your environments. I'd also encourage you to document your requirements. So an RFP use that outline the rules of the road how much time you think it's going to be what are the objectives, things like that so that you can talk on the same page with the different parties that you're entertaining to complete the work for you. And also the third piece that I think sometimes is over often overlooked is what does a report look like? And is it going to meet your needs as far as output go? So just not another vulnerability scan you don't need a hundred page output of Nessus or rapid seven or whatever the vulnerability scan tool is going to be needed. A distilled report that it's not noise, but of knowledge. If you will, about your environment that is not false positive saying these are the 30 issues we found. Here's a potential impact. Here's, here's some potential recommendations. How do I address? So you need things that are more actionable for you and that's going to get you more quickly to address any potential issues in your environment.
- [Brian] Okay. Thanks, Chris. Keeping an eye on the clock here. I do want to get folks out or a little early here. So any other additional questions we will actually follow up with you separately but I do want to say thank you again to Chris and to Bob for sharing your time and your expertise today. Really appreciate that. And also thank you to all of our attendees for joining us today. And that'll end today's webinar. We hope you have a great rest of your day. Thank you.
Learn more about penetration testing trends
Read the 2021 Penetration Testing Survey Report