Security is a huge issue for UK enterprises, one they know they must address. For large businesses, however, the traditional once-a-year security check, or penetration test, has become particularly problematic, generating huge amounts of data, but little useful information.
Big organisations now have vast IP address ranges, they have a huge volume of services and complex systems exposed to the internet and they have a distributed IT structure. Very often different people are responsible for different bits of different systems in different countries. In addition to these factors are the improvements made in testing over the years, and the automated tools which can find many more issues. This means that for large organisations a penetration test report can run to thousands of pages while providing little value in helping to solve security problems.
In short, penetration testing is not the panacea it’s often made out to be. We believe that it’s just not good enough for a pen tester to find the issues and list them in a report for the CISO to sort out. Too often this involves squandering budget on fixing issues without working out and resolving their root causes.
Some of the responsibility for this lies with the penetration testing industry, which has a tendency to ‘fire and forget’. The test is completed, the client gets the results and then it’s the client’s problem. We think this needs to change. Penetration testers should start to work with clients to sort the data and make the results more accessible and actionable. The tester’s opinion of what is critical (perhaps a denial of service attack) doesn’t reflect that of the business, which might be much more concerned about a loss of customer information or credit card details.
Too many penetration tests fail to work with the business to prioritise the resulting data. Testers need to incorporate client’s priorities and ask; what is a critical issue for this client? We think we know, but in reality it’s different for each company and its assets. Effectively, we need a holistic approach to testing and remediation to produce ongoing improvement.
So how can we create useful information out of the pen test data? What can IT and business do to prevent irrelevant security fixes and rediscovering the same old problems? There are four things security providers should be offering; weighting problems, tracking them, getting to the root cause and presenting qualified information not raw data. This combination will lead to the next generation of pen testing, moving pen testing from a static to a dynamic exercise focused on delivering demonstrable results.
It is down to us, the penetration test industry, to help clients get the return on their investment in testing and security that they need and are absolutely entitled to. We need to clearly categorise issues to help better identify the underlying causes driving them. We must involve the business in the allocation of risk, so that the most important issues to the organisation can be resolved first.
As penetration testers we want to find the new and exciting stuff, not repair the same issues every year. We think this means mending the pen test system and creating reports which generate manageable information, not just mounds of data.
Edd Hardy - Head of Operations CNS Hut 3