When Should Organisation Seek a Penetration Test
Implementing a robust technical assurance strategy is crucial for any organization looking to strengthen their security posture. However, this process depends on several factors like budget, internal capabilities, and overall security maturity. Before considering penetration testing, there is first a need to understand the motivation behind such assessments. Penetration tests work best to uncover unknown vulnerabilities and validate controls against advanced threats. As such, these assessments should focus on the most critical assets and best defended environments. Testing systems that are riddled with known issues does very little to provide value.
With this in mind, here are some key actions that should be considered when building an effective technical assurance strategy:
Inventory Management - Compile a comprehensive register of all physical, digital, and cloud assets. Evaluating their criticality to operations based on factors like sensitivity of data, impact of disruption, compliance requirements, etc. informs future decisions on which require testing and when. Gaining complete visibility into your attack surface is vital to improving the security posture of the organisation.
Centralized Logging - Ensure all assets feed into a centralized logging solution like a SIEM. Alerts and robust monitoring should also be configured to enable detection of potential intrusions, especially for external-facing assets or shared services.
Vulnerability Management - Leverage automated scanners, threat feeds, and holisitic vulnerbaility mangement tools to get real-time alerts on new vulnerabilities. Regularly scan internal assets to prevent legacy components from creating security gaps. Mitigation activities can then be prioritized based on criticality.
Endpoint Protection - Deploy robust endpoint detection, prevention, and response tools like antivirus, EDR, and firewalls to further harden your environment. Tuning policies and incident response actions to the evolving threat landscape requires constant effort and coordination with security operations.
Targeted Adversary Simulations - Use red teams, penetration tests, tabletop exercises, and other simulations to test detection and response capabilities against real-world techniques. Determine if current controls sufficiently prevent, detect, and respond to potential intrusions.
Complementing these technical activities are IT management policies like patching schedules, change control, and training regimes for operational staff. The right combination of these options can create a solid technical assurance program. Alternative activities can also be employed that may better suit your security objectives and can include:
- Secure code reviews during SDLC (Secure Development Lifecycle) - annotate design documents, test code, audit open source libraries
- Vulnerability scans against known databases like OWASP Top 10 and compliance benchmarks
- Threat modeling sessions to develop secure architecture designs that isolate critical assets
- Vendor provided assurance activities like audits for cloud platforms
An ideal approach would be to utilize a combination of these practices for comprehensive assurance. To identify triggers and maximize benefits, collaborate with system owners to develop threat models defining critical assets, data, and risks. With priorities defined, targets for technical assurance become clear.
Building effective security takes time but following this risk-based approach paves the way. Penetration testing and configuration reviews still provide value, but for optimal results they should be integrated into a broader strategy based on asset criticality. A mature technical assurance program takes work but delivers confidence and peace of mind.