According to a recent Glassdoor survey of employed U.S. adults, 72 percent said they are ready to return to their company’s office, with 45 percent expecting to return to the office in some capacity this summer. 

What does ‘in some capacity’ mean? Well, the pandemic has reimagined where and how work gets done. PwC’s US Remote Work Survey found that employees are anticipating a hybrid work model, in which they will be required to go into the office no more than three days each week. With the growing hybrid workforce, comes its own IT and security challenges, including managing security patches and updates, ensuring security within home environments, and monitoring user behavior.

In a CIO round table discussion, Microsoft security architect Wayne Anderson pointed to user behavior as one of the biggest cybersecurity risks of today’s hybrid workforce. I couldn’t agree more. As with any crisis, the COVID-19 pandemic has created a mass amount of confusion among employees – and in turn an increase in social engineering attempts. Just look at the results of the 2021 Verizon Data Breach Investigations Report. Over the past year, 85 percent of breaches involved a human element and social engineering attacks topped the list of attack patterns. 

Now, the hybrid workforce and the imminent return to the office presents new opportunities for sophisticated social engineering attacks. Successful social engineering scenarios could include: 

• A malicious link or attachment embedded in emails outlining realistic return to office protocols.
• Contacting the help desk to enroll a new multifactor token for the VPN.
• Gaining physical access after an attacker convinces the office manager or colleagues that it is their first day at the office.

To help prevent employees from falling victim and maintain secure social interactions, here are five considerations to pay close attention to:

1. The hiring process did not stop over the past year. When your employees return to the office, there will be new faces and names. During this time of transition, there should be a heightened sense of awareness for your physical security. Remind employees of physical security protocols and have an established method of identity verification to confirm employment of new faces. Follow the same identity verification methods regardless of the communications channel: phone, email, and in-person.
2. Audit your physical security procedures. Who owns physical keys to the office space, access credentials, employee badges and ID cards, etc.? Audit who has access to what and ensure you disable access that is no longer needed.
3. Practice the principle of least privilege. Least privilege means enforcing the minimal level of user rights that allow an employee to perform their role. For example, marketing should not have access to client financial data. Restrict access for each employee to limit the breadth and impact of a social engineering attack.
4. Allow only authorized devices on your corporate network. As people go back and forth from home offices to corporate offices, ensure that personal or BYOD (bring your own device) devices are enrolled into your IT asset management program and only provision access where necessary.
5. Regularly test your employees with social engineering penetration tests. Real adversaries attempt to trick employees into exposing sensitive information every day. Make sure your employees are receiving the proper security awareness training and understand your organization’s procedural security controls. Social engineering penetration tests can include phishing assessments, vishing assessments, and on-site social engineering. 

NetSPI’s social engineering security consultants practice empathy and collaboration during every assessment. Empathy is critical in social engineering because it is important to recognize that the employees being tested are human, and social engineering aims to manipulate human behavior. It is imperative to not punish an employee for clicking on a malicious link, rather, inform them to correct the behavior in a proactive, positive way. Collaboration is key to a successful engagement. At project kick off we work with our clients to identify key social engineering scenarios to avoid as well as employees that should or should not be targeted.

While user behavior may be one of the biggest risks to a hybrid workforce, it is also one of your greatest assets to defend against adversaries. If you can inform employees on how to practice the best behaviors to prevent social engineering attacks, you will stay one step ahead of adversaries at a pivotal point in time: the return to the office.

Work with NetSPI’s pentesters to prevent social engineering attacks.

The post How to Maintain Secure Social Interactions When Returning to the Office appeared first on NetSPI.

Ransomware is a type of malware, or malicious software. When infected with ransomware, organizations lose access to their systems and data, and cybercriminals demand a ransom in exchange for releasing the data. In more technical terms, adversaries encrypt your data and require you to pay nominal amounts of money for the decryption key. Typically, a ransom note pops up on a computer explaining the terms of the ransom, including the cost, form of payment, and deadline. 

Not only is the threat of ransomware growing, but the impact of ransomware is also increasing. Attacks are becoming more sophisticated, and requested payments are getting larger. Here are five key ransomware trends to pay attention to right now:

Ransomware trends:

• The ransomware-as-a-service (RaaS) model is on the rise. With RaaS, attackers do not write the malware, they purchase and spread it. Commissions are paid to the developers for the use of the malware.
• Remote worker entry points are being targeted much more, including remote desktop, employee access gateways, and VPN access portals.
• Operational technology is a prime target. According to IBM Security X-Force, 41% of all ransomware attacks targeted organizations with operational technology (OT) networks.
• Email phishing, admin interfaces, and exploits are common entry points, and drive-by downloads (malvertising, force download, or exploit browser) are becoming more popular.
• Many threat actors that deploy ransomware attempt to disable backup/recovery capabilities, so victims are forced to pay if they want access to their systems and data.

Is my organization a good target for ransomware? 

Every organization is susceptible to a ransomware attack, but there are a few considerations to be aware of that may increase your chance of falling victim. 

• Are you in an industry that frequently is targeted by ransomware? It’s common for ransomware families to target multiple organizations in a particular industry given the attack surfaces are similar. 
• Does your organization prioritize security? There are a few industries that have notoriously underfunded security programs, including higher education, startups, and small businesses.
• Does your organization store and manage high-value data? The higher value the data is, the greater the appetite for ransomware attacks. It’s more likely an organization will pay the ransom to get its data recovered if the data is extremely sensitive. Read: Healthcare’s Guide to Ryuk Ransomware.

How does ransomware work?

Step 1: Getting in | Adversaries can get into a network in numerous ways. Here are four vectors used to gain initial access:

1. Phishing links and attachments.
2. Using weak or default credentials to log into single factor remote management interfaces and desktop platforms such as Citrix, Remote Desktop, and VPN access points.
3. Exploitation of common security vulnerabilities, including SQL injection, broken authentication, broken access control, and insufficient logging and monitoring.
4. Unintentional download and execution of malware through obfuscation and/or social engineering techniques (drive-by downloads, malvertising, forced download, or browser exploits).

Step 2: Privilege escalation | Once in, adversaries work to exploit bugs, design flaws, or configuration oversights in an operating system or application to gain access to protected databases, file shares, and business sensitive data.

Step 3: Find and exfiltrate sensitive data | Attackers leverage well known techniques to quickly identify servers that may contain sensitive data and upload the data to systems on the internet. 

Step 4: Ransomware deployment | Now it is time to deploy the malicious ransomware code. Ransomware can take many forms, including: locker (uses screen locking to block basic computer functions), wiper (deletes files on a timer), or crypto (encrypts important data and often includes a kill switch to delete data if the ransom is not paid by a specific time).

Step 5: Get paid for the decryption key | Often ransomware attackers request the ransom is paid in Bitcoin. Once paid, the likelihood of recovering the money is low.  Even when money is returned, you’re not likely to get all of it back. For example, in 2021 the FBI recovered $2.3 million of the $5 million from the Colonial Pipeline attackers. 

Step 6: Extort additional money by threatening to publish exfiltrated data | Adversaries exfiltrate sensitive data early in the ransomware deployment process so that, even if a ransom is paid, they can continue to threaten the organization and make more money.

Should I pay the ransom?

This is not a yes or no question – it depends on the industry regulations, the complexity of the situation, and the business risk. Payments entice bad actors and enable ransomware attacks to continue. Right now, no one is outright prohibiting direct ransomware payments or ransomware insurance claims. If we do not see new regulations restricting ransomware payment, hopefully, we will see governments offering some subsidies to small and medium businesses that can’t afford to partner with security firms but may be considered high-risk targets. 

Best practices for ransomware protection.

While we wait for the global cybersecurity community to work toward a solution, organizations must get proactive about their cybersecurity efforts. Here are seven best practices to follow to protect your organization from a ransomware attack: 

1. Employee awareness, namely phishing prevention and education. 
2. Limit your external attack surface. Evaluate what you expose to the internet.
3. Access management: Multi-factor authentication, strong passwords, and least privilege.
4. Review and test your data backup plan often.
5. Perform regular penetration testing to identify and remediate your vulnerabilities.
6. Put your incident response plan, crisis communications and management plan, and business continuity plans to the test.
7. Practice ransomware resiliency. The more proactive your security efforts, the better you will be able to prevent, detect, and recover from a ransomware attack. Download NetSPI’s ransomware prevention and detection checklists.

While we wait for the global cybersecurity community to work toward solutions, ransomware resiliency planning is going to become a priority for everyone. For more detailed insight on ransomware attacks, how ransomware works, and how to prevent and detect ransomware, download our Ultimate Guide to Ransomware Attacks. 

The post Ransomware Resiliency 101 appeared first on NetSPI.

The as a Service delivery model has seen a tremendous evolution over the years and now takes many forms, from the foundational Software as a Service (SaaS) to the emerging Penetration Testing as a Service (PTaaS) – and there’s even a term for Anything as a Service (XaaS). The adoption of the delivery model continues to expand. Analysts expect the market to grow 24% by 2024 and Gartner anticipated that all new software providers and the majority of existing vendors would offer subscription-based business models by the end of 2020.

NetSPI recently launched Application Security (AppSec) as a Service to help organizations manage and mature their application security programs. To navigate the evolving landscape and better understand its value, this blog explores what it really means to deliver something as a Service and why an as a Service partnership for application security is valuable.

Four core attributes of an ‘as a Service’ partnership

It’s important to note that by purchasing something as a Service, it does not necessarily mean that you are outsourcing that product or service to a third party. The terms are often used interchangeably; however, they differ greatly. Recognizing the differences between outsourcing and entering an as a Service partnership is key to understanding the true value of the delivery model.

There are four key components that define an as a Service offering and contribute to the success of the program. The core attributes of an as a Service partnership are as follows:

1. Collaboration: A successful partnership enables collaboration and information sharing between vendor and client on a much deeper level. Because the vendor should serve as an extension of a client’s team, they receive internal context that allows them to provide the needed technical depth, while also driving efficiency through technology innovation.
2. Scalability: The ability to scale up or down to meet capacity and performance requirements is core to an as a Service partnership. It is essential for your vendor partner to work with you to forecast capacity needs and allocate necessary resources. Vendors should not only have the capability to scale up during a time of need, but also to redirect capacity to other areas at times where demand is less significant.
3. Automation: Process automation helps free up your team members’ and vendor partners’ time to focus on more strategic initiatives. Any as a Service offering should incorporate some level of automation. For example, with NetSPI’s AppSec as a Service, automation and tools are deployed to support manual testers in finding application vulnerabilities that tools alone cannot.
4. Continuity: Relationships such as an as a Service partnership need to be continuous to be most effective. Having continuity in your vendor partnership allows for greater understanding of business processes, the threats an organization is most likely to face, and techniques for preventing cyber-attacks. A long-standing relationship also supports trending data collection to track progress over time.

The value of Application Security as a Service

When I talk about an “as a Service partnership”, I mean that NetSPI, a partner, is working inside of a client’s program as an extension of their team.

With an AppSec as a Service partnership, clients gain dedicated technology and leadership that supports a scalable team of application security testers. It is a modular and scalable approach to application security comprised of multiple components that may be deployed as a complete program or individually, integrating with existing processes and technologies. We invest significant time, resources, and budget into onboarding our experienced consulting team into the client environment where there are specific nuances and requirements. Oversight and crosschecks are done to ensure expectations are met, to identify areas within the parameters of the project that may require more attention, and to report back to the client-side leadership with findings we uncover.

Throughout the partnership, there are touchpoints at the executive, technical, and project levels. At the executive level, we look at the metrics, communications, and structures in place to align to the program thematically. At the technical level, there is collaboration around process, technology toolsets, and ways to automate in a high-volume environment. And at the project level, we evaluate our resource planning, communications, and alignment with the client-side team.

There are many ways an organization can benefit from an as a Service partnership for its application security program. Here are a few to note:

• Add context to an environment. AppSec as a Service enables organizations to gain context inside of their applications by deepening their insight through technical testing and collaboration. The delivery model helps both client- and vendor-side teams better understand the attack surface to target its weaknesses.
• Reduce time managing expectations. Create more meaningful touchpoints inside of an organization and build trust by not having to manage multiple vendors, doing different things, through different processes. Having one single source of truth for all application security activities, one that is integrated into your program nevertheless, eliminates chaos around remediation.
• Support during staffing shortages. My colleague, Florindo Gallicchio said it best in his 2021 predictions. He wrote, “Cyber security leaders will be challenged by filling roles that require candidates with mid- to senior- level experience – and entry level job openings will continue to be in high demand. Because of this, companies will need to do more with fewer people. This will result in increased adoption of program-level partnerships with third parties or using vendors to fill in-house positions at scale.”
• Identify the right metrics. Goal alignment is clear-cut with AppSec as a Service given the vendor is aware of the day-to-day application security activities, has a direct line of sight into the goals and objectives of the program, and understands a business’s most valuable – and vulnerable – assets. Given this enhanced insight and context, your partner can help identify which metrics to track to communicate program progress and Return on Investment (ROI) to leadership team.

Whether it is application security, penetration testing, software, infrastructure, or anything, an as a Service delivery model can provide immense value to any organization. As these offerings continue to evolve and more vendors jump on the as a Service bandwagon, use the above criteria to evaluate potential providers to ensure you’re getting the most out of your relationship.

Learn how NetSPI can help manage multiple areas of your application security program with AppSec as a Service.

The post What Does Application Security “as a Service” Really Mean? appeared first on NetSPI.

First, we should cover some background around cloud computing and security. With traditional on-premise models, security teams have access to established tools, technologies, and methodologies for dealing with security events in the environment. The cloud on the other hand, has relatively fewer security tools, resources, and established procedures available, as well as an overall higher probability for data to be exposed if a mistake is made.

As organizations migrate their resources from on-premise environments to the cloud, significant “technical debt” may also occur. Meaning there may be a lack of understanding around the technical aspects and security risks of the cloud environment. Nevertheless, organizations continue to migrate to the cloud, as its benefits often outweigh potential security concerns. Among the top reasons for cloud adoption is providing access to data from anywhere, disaster recovery, flexibility, and relieving IT staff workloads. These benefits, among others, are why organizations pay and trust cloud providers to host and manage their data and applications – but should they rely on the providers for security?

While both AWS and Azure certainly have robust cloud computing security efforts in place, it is important to understand that cloud security is a shared responsibility among providers and organizations. While cloud providers will provide underlying security for the platform infrastructure, the users of the platform still need to securely configure cloud services. This is where cloud pentesting becomes critical to organizations using the cloud.

Cloud Penetration Testing 101

Cloud penetration testing is used to identify security gaps in cloud infrastructures and provide actionable guidance for remediating the vulnerabilities to improve an organization’s overall cloud security posture and achieve compliance. Testing can differ between cloud platforms and knowledge of the nuances can help your organization reach cloud security maturity.

There are three main components to NetSPI’s cloud pentesting methodology:

1. Internal Testing: Testing the internal networks and services, much like you would an on-premise data center or on-premise network for internal virtual network vulnerabilities.
2. External Testing: Testing any services that may be exposed to the Internet; Services that are fully run and operated by the cloud provider, like Azure app services, or any network services that may be externally exposed through virtual machines or firewalls.
3. Configuration Review: An analysis of the services that are being used in a specific cloud provider to identify misconfigurations, enumerate available services and the network architecture, and learn how everything is being implemented inside of the environment. Notably, configuration review informs internal and external pentesting engagements.

For an introduction to cloud pentesting watch this webinar: Intro to Cloud Infrastructure Penetration Testing.

AWS versus Azure Cloud Pentesting

From an external and internal network pentest perspective, AWS and Azure are fundamentally similar. Some may argue that one or the other is slightly more likely to have external issues arise, but where AWS penetration testing and Azure penetration testing differ greatly is in the configuration review process. Given that they are two separate platforms, they will have different approaches for services configuration.

Let’s start with Azure. As part of the migration to Azure, the on-premise Microsoft network, users, and groups (commonly tied to Office 365) are all transitioned to Azure Active Directory. As this happens, it can create situations where users from the on-premise environment are given direct, or indirect, rights to resources in the cloud. Whether users or administrators are aware, these accounts are now targets for attackers, as the attacker might have an easier time going after a non-administrative account from the internet.

While AWS can integrate (or federate) directly with Active Directory, AWS has its own Identity and Access Management (IAM) platform. The IAM system in AWS can be complicated, and if administrators are not careful, they can easily grant exploitable permissions to IAM users through policies and roles. A common target for privilege escalation in AWS is EC2 instances that are configured with excessively permissioned roles. If an attacker can gain access to the EC2 instance, they can use native AWS technology to escalate their privileges in the account.

Each of the cloud platform’s vulnerabilities can be correlated with the way the identity and authorization policies are applied to the different applications and services hosted in the cloud. NetSPI’s goal during a cloud penetration test is to identify these vulnerabilities and show how these issues could be practically exploited in a cloud environment.

Regardless of the platform, investing time to understand your chosen cloud provider and its architecture will help security teams avoid “technical debt”, and be better prepared to efficiently find and fix vulnerabilities in any of the services specific to each cloud provider. Look for an experienced penetration testing company like NetSPI to test your Azure, AWS, or other cloud infrastructures as part of internal testing, external testing, and configuration review.

The post AWS versus Azure Cloud Testing: Understanding the Differences appeared first on NetSPI.

Twenty years ago, the role of a cyber security professional revolved around securing the perimeter. Today, cyber security has evolved and matured, along with the attack landscape. CISOs are responsible for many things, from preventing breaches and instilling ongoing security and vulnerability management programs, to internal/external leadership and even reporting to the board. Learning from the past as we plan for the future, I’m confident that the role of the cyber security team will continue to evolve, making it is imperative that organizations build and invest in a team with staying power.

Humbly speaking, with the tenure of many NetSPI team members at 10 years or more, we are fortunate to be able to offer our clients quality – and consistent – counsel because we have built a mindset around focusing on building teams with staying power. In this blog, I’ll share some insight into NetSPI’s commitment to team building in the hopes that it can provide guidance for your own workplace development (or even to serve as criteria for hiring your third-party testing team).

Hire for Experience, but also for Thirst of Knowledge

After hiring numerous professionals throughout the years, I’ve noted that there are a number of things, beyond experience, that can come together to make a person great in this profession. Someone who is a self-starter or is ambitious, oftentimes is a great team member. Further, an individual who works on projects outside of work or school demonstrates to me a passion for the profession.

Yet, two traits that are more difficult to recognize at first are the more unique soft skills: memory recall and curiosity. Individuals who have memory recall, who can understand patterns and relationships, usually gain an advantage when it comes to thinking like an attacker and recognizing familiar trends, while working as part of a client consulting team. And the highly curious person often has an innate drive to pick things apart, skills that are fundamental to success when the technology landscape becomes more complex by the day and emerging technologies continue to open new doors to hackers. Technology vulnerabilities are there – and a curious person is more apt to see find exposures so remediation can commence.

Watch our on-demand webinar: From Governance to Implementation to Results with NetSPI’s Deke George and Former CISO at the CIA, Bob Bigman.

Make Training and Continuing Education Fundamental

Today’s college graduates in the technology or cyber security fields, or even those with just one to two years of experience, have a definite thirst for knowledge. Our organization has found that investing in feeding that knowledge has paid dividends and has manifested in our proprietary NetSPI University.

Each year, through NetSPI University, we take new cyber security talent through a six-month continuous improvement and training program that consists of internal and external educational courses, technical labs, shadowing programs, and cross training. Why do we make this investment? The reason is two-fold. First, it is part of our DNA and culture to continuously improve (truly, at all levels of the organization). Secondly, our ability to outpace attackers is due to our talent and our culture. Our clients respect that, and in some cases, seek out our counsel in putting in place their own training programs. In the long run, organizations benefit from investing in their teams.

Focus on Measures Outside of Just Technology Competencies

In Nabil Hannan’s inaugural edition of his Agent of Influence podcast (with the excellent title of “Cyber Security Education and the Ethics of Teaching Students to Break Things”), he states that “some of the most successful people who he’s seen in cyber security are usually very adaptable – they learn to adapt to different situations, different scenarios, different cultures, different environments.” He goes on to point out that this is critical as technology is always evolving, as are the security implications. I couldn’t agree more. In fact, I think it is a hiring measure – adaptability or agility outside of technical competencies – that is undervalued. I write about the importance of agility here.

What’s more, organizations that provide a framework for performance – meaning evaluation measures on quality, technical depth and outcome – help not only the team member, but the organization as well. But I argue that agility measures should also be part of the framework for performance so that team members can bring their own skills and perspectives to each and every engagement and incorporate their individual style. This not only benefits the employee and the client, but an organization can then apply that individual’s insights across the whole team to make the organization better and smarter. Additionally, organizations need to understand that a dynamic culture, one that puts in place the building blocks to enable people to enjoy working together pays dividend in terms of work product, retention, and recruitment.

In my opinion, cyber security professionals have the best job in the world. They get to ethically hack into some of the largest companies. With that comes responsibility. Because of the importance of the work that cyber security professionals do day in, day out, its critically important that organizations provide opportunities for these talented individuals to grow, stay on the cutting edge, and to lead. A commitment to building a team with staying power through a commitment to training and development of the next generation of security professionals is imperative as the profession continues to grow to meet the growing demands of the job.

The post How to Build a Cyber Security Team with Staying Power appeared first on NetSPI.

In my opinion, building your security program around a framework for compliance, ensures an organization is compliant, but doesn’t necessarily make it secure. In fact, if you’re simply implementing a security strategy to check a box, it’s likely that your systems are vulnerable to cyber adversaries. While security is foundational in these compliance-based frameworks, historically it was deemphasized for a period of time. But things are changing – specifically, the way we think about security is shifting away from a compliance-first mindset. Big data breaches got the attention of Boards of Directors from a financial (read: fines, lawsuits) and reputational loss standpoint. From a technology standpoint, there’s no longer an inside and outside of the organization and just defending perimeters with firewalls is no longer adequate. And, one more example, with a move away from a waterfall release of applications to a more agile development philosophy, it makes business sense to elevate the frequency of vulnerability assessments, even moving to a continuous, ongoing monitoring of internet-facing attack landscapes to more adequately protect against unauthorized access to an organization’s intellectual property.

Organizations that have a more mature technology footprint are surely interested in doing everything they possibly can to find and fix vulnerabilities. And even in a mature scenario, there’s ample opportunity to put in an action-based framework that ties up to an organization’s controls and security framework. Consider this: the world’s leading research organization, Gartner, found that between 2014-2018 approximately 41 percent of clients had either not selected a framework or had developed their own ad hoc framework. It goes on to show that failure to select any framework and/or build one from scratch can lead to security programs that:

• Have critical control gaps and therefore don’t address current and emerging threats in line with stakeholder expectations.
• Place undue burden on technical and security teams.
• Waste precious funding on security controls that don’t move the needle on the organization’s risk profile.

How can we begin to administer a security-based framework? Quite simply, just begin. It doesn’t have to be perfect from the get-go. Consider it a work in progress. After all, the threat actors, technology assets, and detective controls are constantly changing. Thus, you will need to constantly change and adapt your continuous, always-on security and vulnerability management program. Here are some best practices to help you begin implementing your security-based framework changeover.

1. Evaluate the landscape: Determine whether there has been a security framework or controls catalog developed for your specific industry sector. The NIST Cybersecurity Framework is a good place to start. But what happens when there is no industry-specific or government-mandated security framework and control catalog? In this case, security capability maturity and team capacity and capability become the key inputs in selecting your security control framework and control catalog. (Source: Gartner)
2. Engage with organizational leadership outside of technology: Develop a scrum planning team with legal, risk, and front-line business unit representatives to help identify discrete regulatory or legislative obligations that need consideration.
3. Audit your internal and external environment: Identify the contextual factors that could influence your selection of security framework and control.
4. Invest in your people: Admit to technology fatigue and that some significant investments aren’t optimized to meet set objectives or are redundant. Instead, invest in a people-first, pentesting team that can approach security from the eyes of an attacker.
5. Develop a plan based on continuous improvement: Combine manual and automated pentesting to produce real-time, actionable results, allowing security teams to remediate vulnerabilities faster, better understand their security posture, and perform more comprehensive testing throughout the year.

Remember: Just because an organization’s cyber security program is compliant, doesn’t mean it is secure. If an organization approaches its security programs from a security-first mindset, most likely it will comply with the necessary compliance rules and regulations. I see compliance as a subset of security, not the other way around.

Want more? Read “Challenges & Keys to Success for Today’s CISO” from the Former CISO at the CIA, Robert Bigman.

The post Building a Security Framework in a Compliance-Driven World appeared first on NetSPI.

Fast forward to 2020 and businesses will find that the pentesting industry is made up of a lot of providers offering vulnerability management services. But does that mean all penetration testing services offer the same results? Simply stated, the answer is no. To help organizations choose the right team for their pentesting and vulnerability management (VM) programs, consider the following four paradoxical attributes that should help CISOs and CIOs select a top penetration testing partner.

Pentesting Should be Agile, Yet Consistent Over Time

It’s important to hire a talented penetration testing team – one that’s able to look at the environment through the eyes of an attacker and bring their insights of technical risk to the table as the environment and technology become more complex over time. The pentesting team needs to be agile to continuously improve and evolve to meet the ever-changing and elevated risk and complexities that your business may face.

While evaluating agility, it’s important to also look at consistency. Does your potential pentesting partner have a team orientation versus just an individual, or outsourced consultant, who owns the knowledge? What if that individual moves on to “greener pastures?” It’s my recommendation that you shouldn’t consider a white hat tester who acts alone. Rather, choose a pentesting team built around a consistent delivery of quality, service, and results, that can be an extension of your internal team and will bring you the foundational support you need in your vulnerability management program.

The Pentesting Process Should be Custom Yet Standard

With 640 terabytes of data tripping around the globe every minute, is it possible to put standards around your vulnerability management program? In my opinion, it’s not only possible, it’s a necessity.

Who you get doesn’t have to be what you get, as people so often think. From project management workflows and practitioner guides to standardized pentest checklists and testing playbooks, at NetSPI we have formalized quality assurance and oversight so we can deliver consistent results, no matter who your assigned NetSPI security consultant is. With these standardized processes in place, when new vulnerabilities are identified, we are able to quickly mobilize and study the attack scenario, and if appropriate, we add that specific vulnerability to our pentest checklists for future assessments.

Having said that, every situation has its nuances. While understanding that no organization is the same, there may be some commonalities between industries, like similar regulatory bodies to comply with, for example. This allows pentesters to put some standardization into their process while allowing for customization and flexibility that is unique to the client environment from a business or technical perspective.

Technology/IT Should be Automated to Increase Manual Pentesting

Automated scanning is foundational to any penetration testing program. It’s how an organization handles the thousands of results from those scans that is crucial as there will be duplicates, false positives, and many, many data points, oftentimes delivered in spreadsheets or PDFs. Your internal security/IT team is then tasked with sifting through, sorting, and evaluating that data. Is that administrative work the best use of their time?

In my opinion, your internal team should focus on finding solutions for effective and fast vulnerability remediation, rather than spending their time heads down in administrative tasks. It’s up to your pentesting team to identify and communicate the priority vulnerabilities, not hand you a document and wish you luck. Look for a penetration testing provider who has tools in place to automate pentest reporting functions and deliver results that can be easily sorted and acted upon so that the majority of human capital investment is focused on finding and fixing vulnerabilities. A favorite quote of mine from NetSPI product manager Jake Reynolds exemplifies the mindset of those individuals working to solve the technical complexities of vulnerability management (VM), “I want to hack and secure the largest companies in the world…I participate in solving real world problems that affect companies and people across the globe.”

A Focus on Internal R&D Will Strengthen the Entire Security Community

Being able to collaborate with a team is critical in our client relationships. We instill that collaborative mindset through an intense and immersive training program, NetSPI University, for entry-level security testing talent. Why dedicate so much time to continued education and mentorship? At NetSPI, we are consistently asked to see around corners and penetration test more and more complex environments. So, training and collaboration are key to helping us grow and scale pentesting talent to meet our industry’s evolving needs.

Training and collaboration can’t, and isn’t, just a NetSPI initiative. Collaboration and innovation are key to evolving as an enterprise and as an industry. As I wrote in this blog post, pentesters are intensely creative and have highly curious technical minds, and our team strongly believes that the effort we place in research and development with our colleagues should be shared with the broader security community. Case in point? The NetSPI blog is a treasure trove of information for the pentesting community at large, along with the content on our open source portal.

Final words on this subject: Penetration testing services are the same by definition, but none are created equal. When hiring a penetration testing service provider to test your applications, cloud, network, or perform a red teaming exercise, think beyond whether they can simply identify vulnerabilities. Consider pentesting talent, processes, technology, and culture to ensure you’re getting the most value out of your partnership.

The post Penetration Testing Paradox: Criteria for Evaluating Pentest Providers appeared first on NetSPI.

Innovation Remains Mission Critical

First, it’s important to understand that there are a couple ways to define innovation. The first, of course, is through the lens of creativity and disruption. Attackers don’t have any boundaries when it comes to figuring out how to exploit a program or system; neither should cybersecurity teams. Finding new ways to break things is a critical part of the job.

A second way to define innovation is more pragmatic. While companies need to address large volumes of vulnerabilities and develop strategies to remediate them, most security teams are faced with doing more with less due to budget restrictions, lack of resources, and other constraints. The only way to accomplish this is to adopt some level of automation. Moreover, automation is critical for handling mundane or repetitive processes to free up time for humans – pentesters, developers, and others – to exercise their creative minds. As in any industry, automation enables people to perform at their highest potential, and when used correctly, it becomes a force multiplier.

Consistency Plays a Vital Role, Too

As partners to large corporations and other organizations that have extensive testing programs, we must have consistency in our testing approach. When we find a new vulnerability within one client’s environment, our consistent, systematic process enables us to add that one vulnerability to a checklist for each and every test we do in the future, regardless of the individual tester. This process frees up time for our team of pentesters to be more innovative in finding ways to exploit a program or system, while also ensuring as much coverage as possible.

Another way to approach consistency is through more regular testing for vulnerabilities instead of performing a pentest on your network as an annual compliance tool that results in static PDF reports with out-of-date vulnerability information. As a best practice, vulnerability management measures should employ continuous monitoring, with real-time reporting that enables companies to remediate vulnerabilities as quickly as possible. This new paradigm, known as Penetration Testing as a Service (PTaaS), employs both automated scanning and manual tests that dive deeply into applications and networks.

Striking a Balance Between Innovation and Consistency

How our industry maintains the balance between innovation and consistency should start with our people. While it may seem easier to screen for skills versus personality, the goal is to look for people that can not only think like an attacker, but also excel within a framework that supports individual agility, and leads to a consistent and high quality outcome. A tip? Search for individuals who have an interest in information sharing and bettering the larger security community; those who develop new tools (or improve existing tools) and participate in continuous learning in their free time typically have the capability to be extremely innovative. With a well-rounded workforce and mindset, organizations can gain an edge on their competition, disproving the notion that who you get determines the quality of the services delivered.

To be successful in the world of vulnerability management and pentesting, it’s critical that providers offer a balance between creative disruption and methodical, systematic structure. Together, both right-brained and left-brained talent and solutions result in the very best tests that help organizations stay ahead of ever-changing attack surfaces.

The post Innovation and Consistency: The Right and Left Brain of Vulnerability Management appeared first on NetSPI.