With cyber threats becoming more prevalent and dangerous, organizations are being forced to strengthen their security postures, but there is no simple one-stop fix. Ensuring cybersecurity success requires a continual effort over time, built upon a solid foundation of integrated protections.
Based on numerous consulting engagements with organizations across diverse industries, we have found that three common problems regularly hold back cybersecurity strategies. The top three security failings include not testing enough; not resolving or disclosing known vulnerabilities; and not having proper security programs in place to measure testing effectiveness. Overcoming these three basic concerns can go a long way toward standing up an effective and durable cybersecurity strategy.
Getting the balance right with penetration testing
Penetration testing validates that controls are effectively implemented by applying the same tools and techniques that an attacker would use to search for vulnerabilities in software or hardware. In this way, organizations can measure the effectiveness of their programs for penetration testing, patch management, and incident responses, as well as their overall information security program.
Incremental pen testing involves testing that removes the scope of previously reported systems to focus on additional points of vulnerability. This form of testing can help identify and address security gaps more frequently because the tests focus on smaller segments at a time. Depending on the context, incremental testing can also describe the addition of tactics or techniques not previously utilized by the testers.
Pen testing efforts need to be localized and focused when launching a new product or feature. Fixing vulnerabilities before a product or feature launches reduces the overall impact of patching after it is deployed. Whether a risk is detected by a customer or detected and exploited by an attacker, the level of effort to remediate is exponentially more than fixing it during the development phase. Also, by testing smaller locations, the organization will be allowed more time to remediate properly without becoming overwhelmed by multiple findings. If an organization chooses this model, it should be prepared to conduct several smaller tests throughout the year to ensure adequate coverage.
One of the biggest mistakes that organizations make is not testing frequently enough. Every time a new product is introduced, tests should be an integral part of the process. Embedding threat modeling as part of the product design process keeps developers on top of this concern, not allowing it to be overlooked.
Organizations may also want to partner with external testers, as internal testers are often too close to the product and this proximity makes them miss issues that an outsider might notice right away. Embedding security into the process helps to meet necessary timelines, while also preventing potential hours of panic that will ensue once a product is released with obvious vulnerabilities.
In one specific case, the Word & Brown Companies, a leading provider of health plans and benefits services to businesses of all sizes, needed to conduct various tactical penetration tests on its network infrastructure. After completing the penetration tests and drafting a mitigation roadmap, Word & Brown was better able to understand how policy and procedure implementations could help to mature the organization’s security posture over the long-term.
As a result, Word & Brown developed a comprehensive information security program consisting of policies, procedures, and guidelines based on a combination of internationally recognized standards and frameworks, including ISO 27001 and Center for Internet Security Critical Security Controls (CIS CSC).
Resolving all known security vulnerabilities
Vulnerability disclosures involve any public reporting of security flaws. Security researchers and teams disclose vulnerabilities to ensure that a problem is addressed before a bad actor can exploit the vulnerability.
However, the concern with vulnerability disclosures is that most organizations prefer not to disclose a vulnerability until it can be patched. They want users to see them as confidently able to patch vulnerabilities quickly and soundly. However, when a vulnerability can’t be patched before attackers begin exploiting it, disclosure is preferable if there are other ways to mitigate or eliminate the threat.
A lot of controversy surrounds this topic in security circles, about whether it is ethical to disclose vulnerabilities or not. Vulnerability disclosures can be controversial because vendors often prefer to wait until a patch or other form of mitigation is available before making the vulnerability public. However, researchers, cybersecurity professionals, and enterprises whose sensitive data or systems may be at risk would prefer that disclosures be made public as soon as possible.
Regularly measuring security program effectiveness
Another big problem involves security strategies that leave out specific metrics to define how their products perform at their best, and at their worst. Such metrics allow for testing to determine the current health of a security program.
In addition to penetration testing, other areas for assessment may include application security, IT risks, ransomware preparedness, social engineering, incident responses, and more. For instance, to measure the defensive maturity of application security, security teams should perform a full architecture and configuration review. Other assessments may include identifying weaknesses in the software development lifecycle, or reviewing any cloud applications hosted by AWS, Microsoft Azure, or Google Cloud.
In reviewing an organization’s security program, leaders should be able to demonstrate the progress being made for various affected stakeholders. For example, a CEO looking at a vulnerability scanner does not want to see the number of vulnerabilities increasing each month. Obviously, the CEO wants to see more vulnerabilities being resolved each month.
CISOs and security leaders cannot meet their goals and objectives without establishing a clear roadmap for progress. The roadmap should include details about the proper tools, services, and project milestones to make sure the security program operates effectively. The era of annual pen testing is behind us. Ongoing periodic pen tests are now essential for ensuring that organizations can be safely protected from bad actors and cyber threats throughout the entire year.