Sporadic Penetration Testing vs a Structured Offensive Security Program

Penetration Testing has historically been the major benchmark of any cybersecurity activity. As we embark on a promising 2021 in a post-pandemic world where most of the information is stored across digital applications both on premises and in the cloud, protection is vitally important and a structured regime to your testing is required more now than ever.

Penetration testing allows a company to figure out its weaknesses, as well as which of the defences need to be reinforce. However, a sporadic penetration test program can present a few challenges including:

Busy Project Times
New projects with tight timelines, along with ongoing ‘business-as-usual’ tasks which are required just to keep the lights on, are the primary source of cybersecurity risk through task slippage and incompletion.

It is common for annual penetration testing to be put off for more opportune times, often slipping well beyond the anniversary of the test and often not realised until an audit identifies the issue or an incident on a system brings it to light.

Resource and Skills Constraints:
The most important thing to know about penetration testing is that itself is limited in scope. Most companies do not and cannot test all of their systems because they do not have the internal knowledge or skilled resources internally to test effectively. Additionally, ad hoc penetration tests run by external suppliers are generally only conducted on the infrastructure that a client deems to be the most integral for their business, not the likely areas of attack.

Lack of Alignment with Governance & Risk Controls:

Penetration testing is a controls-based test that tests both technical controls on organisational assets and to an extent, the processes around securing those assets. However, it is often result of a breakdown between process, technology or wider business change that creates a new vulnerability. Without alignment to the wider cybersecurity governance, process and risk strategy, penetration test results may only highlight one problem area in a long chain of cybersecurity vulnerabilities.

Too Infrequent and Too Little Time:
Penetration tests are usually only conducted a couple of times a year (at best) with a time-boxed set of hours to attack a small surface of the threat landscape. In reality, malicious cyber-attacks are usually planned by hackers for months, sometimes even years, and are executed with full precision.

A solution to overcoming some of these challenges is considering building a program that creates continual assurance and coverage of your cybersecurity testing regime. This can be supplemented with a hybrid model of internal resources and external suppliers to provide ongoing coverage in areas such as:

  1. Scheduled penetration testing covering the entire threat landscape;
  2. Regular simulated phishing and social engineering campaigns;
  3. Adversary simulations (Red Team) and Tabletop Incident Response exercises;
  4. Security Awareness Training for Board/Executives;
  5. Vulnerability Assessments;
  6. Password and Authentication Assessments
  7. Continual improvement and company-wide performance reporting

An example of a sophisticated testing regimen is demonstrated below with the outline of Loop continual assurance testing program services.

Screen Shot 2020-12-02 at 9.44.48 am 

 If you'd like to learn more about Loop Secure's Continual Assurance Program contact our team

To learn more about pen testing and what type of tests are best for you, download our Technical Executive's Guide to Penetration Testing

DOWNLOAD HERE

Join 9,000 cyber security-obsessed readers on our mailing list.

Expertly curated emails that’ll help you stay on top of cyber security news and trends