How to Get More Value from Your Vulnerability Assessments and Penetration Testing

Linda Musthaler
By | May 27, 2014

Posted in: Network Security Trends

A lot of companies do vulnerability assessments and penetration testing of their own systems to try to head off cyber attacks. Some companies are compelled to do annual pen testing because of regulations that govern their business. Regardless of the reasons for doing the testing, companies are spending good money on the process and should look for ways to get more value out of it.

I recently talked with Kevin Johnson of the security consulting firm Secure Ideas to get his advice on how companies can get more value from vulnerability assessments and penetration testing, and here are his suggestions.

“There’s one thing that’s really important to security and that is to understand what attacks you should be defending against,” says Johnson. He says all kinds of events make the news but they aren’t really relevant for a lot of companies. “With the Internet of Things set to explode, you can worry that a rogue refrigerator is going to relay attacks against you, but that just isn’t realistic today. But you should worry about the employee who does something in error, like misconfigure a security device, and maybe you should worry about the unhappy worker who intentionally acts maliciously. If you understand the attacks that are the real concern for your particular business, then you can focus your limited security budget on those things.”

Next you need to understand what your vulnerabilities are. Johnson says the best way to start on that is to work with a penetration tester. “It could be a third-party or someone from within your own organization. Lots of companies have people on staff and pen testing is their job or it is an interest of theirs,” says Johnson.

He cautions, however, “Don’t just have a company come in and hack you. Actually work with them to get an understanding of why that was the attack that they did. If you’re working with a good penetration testing firm, they don’t just run a whole bunch of automated scanners and say, ‘Ha ha, we hacked you!’ They actually look at what you do from an outsider’s perspective. They look at what functionality you are exposing to whatever systems they are testing. There is a reason why these testers make the decisions that they do. There is a reason they went after that server in particular. So work with your pen tester to understand the ‘why’ as well as the ‘how’.”

Johnson suggests having your internal teams “ride along” with the pen tester. “You should tell the pen tester that you want to know exactly what he’s doing as he’s going along through his job,” says Johnson. “Whether it’s an internal person or a consultant coming in to do the tests, have him interact with your response teams and your system administrators so they can look at the logs and such as the pen tester is attacking the server to see what shows up. You want them to understand what caused the log entries during the attack so they know what to look for and how to interpret it in the future.”

In terms of selecting a third-party tester, Johnson says you shouldn’t just hire a firm because it is the lowest bidder. He advises, “Hire them because you are communicating well with them and you have built a relationship with them, you talk with them and have phone calls with them. And don’t be afraid to question things. I don’t mean you should make their job hard but when they say ‘This is what we think we should test,’ ask them why. If they get irritated with you, hire a different pen tester,” says Johnson.

Another way to get more value from this process is to not treat it as a once a year event. “I’m not saying you have to hire a pen test firm every month—that would get ridiculously expensive very quickly,” says Johnson. “But when they finish that pen test and they give you that report and they say ‘Here is what we tested and here is what our results were,’ ask them how they tested it. Get information about what tools they used and then have your internal people start to reproduce that. They won’t ever entirely replace a third-party – in most cases companies are required to use a third-party – but they are going to be able to run this throughout the year. When a year goes by and you bring in the third-party pen tester again, instead of just dumping them on the network and saying ‘Go,’ have them talk to the people who’ve been reproducing the efforts all year. Then your hired gun can focus on other areas that you haven’t gotten to or on more advanced attacks to get you a better understanding of what risks are out there.”

Johnson says that give-and-take has to be bidirectional. “What happens when you start doing the testing constantly and start building up the skill set internally is that you are going to make it part of your process. It will be part of your build, part of your deployment, part of what you do on a regular basis. So from a high level you have to understand what the business needs, you need to understand what the pen testers are doing, and you need to understand the kind of attacks to defend against. Then you are going to make things better.”

You May Also Be Interested In: