Application Security , Governance & Risk Management , Incident & Breach Response
Breach Prep: The Need for Pen Testing
PwC's Veugelen on Protecting Businesses by Assessing DefencesAccording to PricewaterhouseCoopers' latest information security survey, security incidents across the AsiaPacific region are growing at a rate of 66 percent annually.
See Also: Live Webinar | Securing the Future: DevSecOps in Action
Yet, many organizations are unaware of attacks. And the key reason, says Wouter Veugelen, director, Cyber Security, Technology Consulting, PwC, is organizations' lackadaisical approach to carrying out periodic penetration testing.
"Compromises by insiders - current, former employees and third parties with trusted network access - are rising, but many organizations haven't implemented processes and technologies to address internal incidents," Veugelen says.
Hacking is no longer solely in the domain of high-value, high-stakes enterprise, he says. It's a serious everyday threat for organizations, relying on IT to facilitate their business, and it's time for them to treat the risk seriously.
"Although organizations invest in significant security safeguards, a penetration test checks their effectiveness," he says.
In this interview with Information Security Media Group, Veugelen discusses why many organizations lack sufficient breach preparation. He also discusses:
- The need for penetration testing;
- Building skills of pen-test programmers
- The right approach to employ pen-test standards
Heading the consulting practice, co-ordinating threat assessments, penetration tests and incident response services for financial services organizations, Wouter leads a penetration testing program for a big four Australian bank, where his team tests mobile payment systems. He periodically teaches at SANS institute on hacking techniques, penetration testing and incident response.
Need for Pen Testing
GEETHA NANDIKOTKUR: Most organizations employing good cyber practices suffer penetration. Where do you see the challenges?
WOUTER VEUGELEN: CISOs are trying everything possible to handle the growing sophistication of threats. The reason is hacking is no longer in the domain of high-value, high-stakes business. It's a serious everyday threat for all organizations relying on IT to facilitate their business. Reliable security depends on understanding the exposure, weaknesses and threats leading to a breach which could be exploited.
It's a big challenge, and I don't see practitioners thinking out-of-the-box to employ periodic penetration testing. Globalization of business, increased competition and need for improved customer service make organizations connect their computer systems to the internet, third parties and customers. Although improving business efficiency, this can mean loss or disclosure of sensitive data, service disruption, misuse or reputational damage.
Most organizations realize cybersecurity is a persistent, all-encompassing risk, but with rising frequency and costs of security incidents, many haven't updated critical information security processes, technologies and employee training needs. Despite all security, it's open to compromise if third parties don't employ equivalent security and privacy, safeguards. A worrisome finding is diminished employee training and awareness programs.
Although organizations may've invested in security safeguards, a penetration test ensures they're effective, thus protecting organizational reputation - ultimately enabling business.
Innovations in Pen Testing
NANDIKOTKUR: What innovations in penetration testing can compel practitioners to employ them?
VEUGELEN: Penetration testing, or ethical hacking, identifies vulnerabilities in your technology environment and assesses the exposures. Performed in a way similar to an attacker, it uses the same techniques and tools, but not the malicious intent. The testing's performed across layers and at the architecture layer, different testing exercises addressing different threats:
- External Penetration Testing: This assesses whether someone outside your organisation can access core information assets from the internet through weaknesses within your perimeter.
- Internal Penetration Testing: This assesses whether internal staff or someone with access to your physical premises can access information they're not privy to.
- Web Application Security Assessment: This assesses and identifies what vulnerabilities can be exploited through web applications and services made available to clients, employees - allowing attackers to extract data or further elevate their privileges.
Building Skills
NANDIKOTKUR: One of the biggest pitfalls is the professional skills shortage for carrying out pen tests. How can this be addressed?
VEUGELEN: This exists across regions; the only way out is changing the mindset. Organizations must have remediation teams who feel the need to develop in-house capabilities on pen test methods and processes, which are required at all stages starting with design and coding. In Australia, organizations increasingly align with universities to train in-house teams and hire resources. Despite the right investment and planning, gaps are found in the pen test which could be at the application network layers. Bridging these requires specific skills. It's imperative to apply standards and have teams working in alignment, not in silos.
The Right Approach
NANDIKOTKUR: What, then, is the right approach to employ penetration testing?
VEUGELEN: Testing involves five key stages with the option to "penetrate" during an assessment if there's sufficient need, risk appetite and potential reward:
- Scan: Passive and active scanning techniques are used to identify possible targets.
- Analyze: Analysis and cross-referencing of vulnerabilities found on the targets.
- Follow up: There's no substitute for a seasoned tester's experience; findings from prior stages are manually verified, eliminating false alarms.
- Penetrate: Test teams may discover vulnerabilities that if exploited, could allow further levels of access. If so, a full risk and business impact analysis is performed and presented if the potential value outweighs the likely risk.
- Report: The key is a report the business can understand, with practical recommendations of deeply technical issues, analysis of potential root causes and a clear explanation of the risks.