One thing I keep getting asked about is what makes for a good Cybersecurity assessment. This can cover many areas as well as many items. For example, an assessment may simply mean that a consultant could just come out to the place of business or organization, and just do a visual analysis of what they think that needs to be done to fortify the lines of defenses.
Of course, they would obviously ask the business owner numerous, thought provoking questions as well to see where their pain points and fears like at when it comes to a potential security breach.
Then, there are other kinds of assessments that are much more technical in nature and do even a much deeper scan into the IT Infrastructure of the organization to see where the issues lie at. In other words, rather than just doing a visual analysis as just described, special tests are conducted to see where the true vulnerabilities and weaknesses reside at.
There will be those known weaknesses, but the main objective of these kinds of tests is to see where the unknowns lie at as well. After all, a CIO or a CISO may think that they have patched up and covered of what they think is weak, but there are many others that are still lurking around. So, you may be asking, what kind of test will reveal all of this?
This is what a Penetration Test does, also known as “Pen Test” for short. A Pen Test simulates a real world Cyberattack (or even more), and literally breaks down the walls of defense of a business or a corporation from the external environment moving inwards. Very often, there is a team of highly trained and certified individuals that conduct this task.
These teams are known are known as the “Red Team” and the “Blue Team”. With the former, this is the group of individuals that play the real world Cyberattacker. They have all the software packages that are needed to launch just about any type or kind of threat vehicle.
These are the “bad guys”. The latter are known as the “good guys”. Their role is to act the IT Security staff of the organization, to thwart off the attacks that are launched by the Red Team.
Once all these real world Cyberattacks have been launched, both the known and the unknown security gaps are then discovered. From here, the Red and Blue teams then formulate a plan of action for the client, in which specific recommendations are provided to the client as to how these gaps can be filled.
Of course, the scenario just depicted is a very simplistic one. Pen Testing is much more complex than this, and it does not just transpire over a series of days. It can take several months to conduct a comprehensive Pen Test, and perhaps even as long as a year.
Because of the time lengths of these kinds of engagements, and the skills that are required, a Pen Test can be an expensive proposition. For example, some services can range anywhere from $10,000 all the way to $50,000 and even more, depending upon what needs to get done. Now, the question that gets asked is it worth it to conduct this kind of exercise, especially for the SMB that is on a tight budget?
A recent survey conducted by an organization known as Exabeam sheds some light into this question. This polling was conducted during the Black Hat conference that was just recently held this month. According to this survey:
*The Red Teams appear to be quite successful in launching their simulated Cyberattacks;
*But when it comes to the Blue Teams, only 35% of them never caught the fictitious intruders;
*68% of the Blue Teams stated that they were somewhat successful;
*Only 2% said that they caught the Red Teams all the time when the Pen Test was being conducted;
*27% of the Red Teams cited that better communications are needed with the Blue Teams;
*23% of the Red Teams also stated that their Blue Team counterparts need to have more technical skill when combatting the Cyberattacks that are launched towards them.
True, it is disappointing when the intruders are caught only 65% of the time. Although this may not to be appear to be too bad at first glance, it needs to be much higher than this, even as close to 100%. After all, the client is paying a good amount of change for a Pen Test, and they need to get their value out of it.
Also, by not capturing the intruders at a much higher rate, the Blue Team is setting an example for the IT Security staff that what they do is enough. This is simply not the case. They need to do more in order to create a sense of urgency and proactiveness in their respective organizations.
But there is some good news behind this. Out of all the companies that were polled at Black Hat, 60% of them claim that they do Pen Tests, but the time frequency in how they are conducted varies, such as:
*24% of the tests are conducted on a monthly basis;
*13% of them are done on an annual basis;
*12% are conducted quarterly;
*11% are done on 2x a year.
My Thoughts on This
Another bit of good news here is that organizations are starting to realize the true benefits of conducting a Pen Test. In this survey, 56% of them said that they plan to increase their IT budgets so that they can conduct a Pen Test.
So, in my view, is a Pen Test cheap? No, it is not. Is it worth it? Absolutely yes!!! Just keep in mind this old proverb: You get what you pay for. True, you can find a cheap Pen Tester on a freelance basis, but just how good are they? What kind of reputation do they have?
Will they conduct a Pen Test when they say they will? How do you know if they are not an actual hacker themselves? These are just some of the questions that you need to ask if you go down this route. But it is far better to go with a Pen Testing company that has a rock-solid reputation.
Yes, they are not cheap, but at least you will be guaranteed of getting the needed tests done, and you will be provided with documentation as to what needs to be improved in your organization. In other words, they will not leave you hanging, like a freelance Pen Tester could potentially do.
Remember in the end, conducting a Pen Test is much like conducting an angiogram. This is the only way to find out if your heart has any blockages. The same is true of the Pen Test. The only way you will know where all the gaps and weaknesses exist in your lines of defense is to conduct a deep dive exercise.