Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test?
I recently attended a security conference and watched a presentation from someone who was more of an app developer than an InfoSec person. He proceeded to lay out some guidelines on how to perform application security testing and had lumped a vulnerability testing phase (automated scanning) with a penetration testing phase, as if they were somehow equal or interchangeable. I was horrified at the comparison.
Is this really what people think about penetration testing? Has the industry stooped so low that penetration testing is now synonymous with automated vulnerability assessment puppy mills?
Do you trust your data security to any third-party security assessment company who just basically runs an automated vulnerability scanner against your external hosts?
You may think you’re getting a good security assessment from any company, but I’m here to tell you that that is a very dangerous assumption, especially based upon my own recent personal experiences. Security assessments, from social engineering to penetration tests are not a dime a dozen, but they do follow the same mantra; “you get what you pay for”.
It order to perform an effective and thorough security assessment, you have to have the right people behind the machines. People who are passionate about finding issues and are there to help you secure your data. Not just some puppy mill cranking out automated reports.
The people behind the machines have to know how to test and what to look for during testing. They have dozens of tools to assist them. They have to know how to manually exploit vulnerabilities, which involves a lot of customization. Penetration testers have to know how to configure exploit attempts, how to read and write HTML responses and requests, how and where to insert malicious content, how to write custom exploits, and how to write scripts for automating certain types of attacks. It’s not about just running any automated tool; they have to be setup correctly, configured with the proper settings, and they don’t catch everything! If you don’t know what you’re doing, then many exploit opportunities will be missed and your external sites remain exposed and vulnerable – and you receive a false sense of security.
Case in point – Recently, my son applied online to a company for an internship. Actually, I had filled out the application. Weeks later while running a vulnerability assessment, I happened to click on the link of my son’s application. The completed application was still there (keep in mind there was no authentication required to fill out and submit an application). So I removed the token line in the URL, and the application, with all of my son’s personal data, still came up. Then I found that by simply manipulating the userID code, I could see anyone’s application, all their incomes and past employers, emails, phone numbers etc; anyone who had ever applied to the company. Literally, personal information of thousands of applicants from across the country was exposed.
I contacted my son’s company; they responded right away and had a fix the next day. Excellent! The sad part of this story however is that the company stated that they had a local “IT Security” company perform a penetration test very recently. Obviously, some very serious and easily detectable issues were missed. The company had no idea how easy it was for someone to come along and scrape personal data from their website; they were reasonably, but falsely, comforted that they were secure.
Whether its penetration testing, social engineering, HIPAA security risk assessments or any other type of vulnerability assessment – companies should perform some measure of research before hiring third-party security companies to perform these assessments. It’s important to be sure that the people behind the machines are experts in their fields, and that the company itself has a good, long and reputable history.
At Redspin, we hire world-class security engineers. Our security engineer staff are authors, CTF winners, Con presenters, and have on average 18 years of IT experience. Redspin as a company has a 15+ year proven, successful, track record. Redspin is a company you can count on to deliver professional and thorough security assessments.