The Center for Internet Security (CIS) provides Critical Security Controls (CIS Controls) to support the evolving field of cybersecurity. CIS Control 18 covers penetration testing (this topic was covered by Control 20 in the previous version).
Penetration testing is the intentional launch of cyberattacks in order to evaluate an organization’s security. Expert pen testers conduct penetration tests to break into your system’s security and highlight the blind spots in your websites, applications or network. By identifying these vulnerabilities, pen testing helps businesses stay on top of security management.
While a best practice for security, penetration testing is expensive because it is complicated and therefore requires experienced and reputable pen testers, also called “ethical hackers.” The tests can introduce risks, including the shutdown of unstable systems and corruption or deletion of data. The output report also poses a risk, as it outlines the steps to break through the organization’s defenses, so it needs to be carefully protected.
Pen testing is often confused with another integral (and often required) practice, vulnerability scans, but they have different methods and purposes. Vulnerability testing (CIS Control 7) uses non-intrusive scanning to identify weak points in a system’s security in an attempt to uncover security breaches but not exploit them. In contrast, penetration testing uses intrusive methods to test how damaging a cyberattack could be for an organization. It imitates a real attack to discover exactly what IT assets an attacker could access. Using vulnerability and pen testing processes together can produce an inclusive view of security deficiencies.
18.1 Establish and Maintain a Penetration Testing Program
A successful penetration testing program helps your business stay a step ahead of hackers. Pen testing reveals gaps in the security system and demonstrates how easy it is to steal IT assets. The specifics of each pen testing program depend on the nature, size, complexity and maturity of the organization. Here are some guidelines.
- Scope — A pen testing program should include both external and internal Between these, the scope of the test might include some or all of the following:
- Network
- Hardware
- Web applications
- API
- Wi-Fi
- Physical access to the premises
- Type — There are three types of penetration testing, depending on how much information you provide for pre-test:
- Black-box: The testers go in with no knowledge of the internal systems.
- White-box: The organization provides comprehensive details about the target.
- Gray-box: These assessments fall in the middle, with the organization providing partial information to the tester.
- Limitations — Be sure to note limitations that could hinder the effectiveness of the tests, such as:
- Scope: Due to lack of resources or budget, an organization may choose to limit the scope of pen testing, leading to potential blind spots in their security.
- Time: While pen testers give each test a structured time frame, adversaries don’t have time limits and can spend weeks or months on an attack.
- Method: Some pen testing methods could cause the target system to crash, so these techniques are off the table during a professional penetration test.
- Skills: A pen tester may have studied only a specific type of technology, which could limit their perspective.
- Experiment: Pen testers may stick to thinking inside the box, merely following the structure and protocols they are given. True adversaries may be more creative with their approaches.
- Frequency — The CIS Controls advise organizations to conduct both external and internal pen testing regularly — at least once per year — and after any significant change in infrastructure or software.
- Point of contact — Only a few select people should know when a penetration test happens. For each routine test, assign a specific point of contact within the organization to connect with the penetration testing team. If any problems arise while the test is performed, this individual can field the appropriate
- Remediation and retesting — After the test is complete, the organization should determine what changes to policies and technical measures are needed to improve security. The pen tests should be repeated once these actions have been taken.
Stages of a penetration testing program
The pen testing process involves seven phases. The first six will take around 10 days, depending on the scope. The final step, remediation, often takes longer.
- Pre-engagement — The process beings by setting the objectives. The organization and the testers decide which enterprise assets are in the scope of the test, and which aspects of security will be tested.
- Reconnaissance — The tester gathers information on the assets in the scope of the pen testing operation. The testers can either actively engage directly with the network to gather information, or passively follow network traffic and trace OS and internet footprints.
- Discovery — The discovery phase includes two parts. First, the tester might gather further information, such as hostnames, IP addresses, and application and service details. Next, the tester will conduct a vulnerability scan to look for security flaws in the network, applications, devices and services. Along with vulnerabilities like unpatched systems, testers might discover errors in policy security, weaknesses in security protocols, and compliance issues with regards to standards such as PCI DSS, GDPR or HIPAA. Though using vulnerability scanning software is much more efficient, hiring a team to conduct a manual scan provides more comprehensive insight into security gaps.
- Vulnerability analysis — Next, the tester prioritizes the vulnerabilities that were discovered. While this ranking can be somewhat subjective, expert pen testers will use the Common Vulnerability Scoring System (CVSS), a globally accepted quantitative ranking system.
- Exploitation — The testers attempt to use the vulnerabilities to access the IT environment. They utilize the same techniques a hacker might, including phishing emails, social engineering and discovering users’ credentials. Once they are in, the testers will assess which assets they have access to. They will note the extent of access, the ease of maintaining access, how long the breach goes undetected and the potential risks.
- Reporting and recommendations — The testers provide a detailed report on the identified vulnerabilities and their associated risks, along with recommendations for repair.
- Remediation and rescan — The organization’s IT teams work to close the loopholes and fix vulnerabilities. The pen testers then rescan the network to assess the effectiveness of the remediation effort.
18.2 Perform Periodic External Penetration Tests
External penetration tests target peripheral access to your organization’s systems. Specifically, an external pen test uses the public network to break into the system. The goal is to test how far an outside attacker could go. By simulating a hacker’s behavior, the testers will provide an objective perspective on your enterprise’s resiliency and vulnerabilities. External pen testing follows the same seven phases detailed above.
You and the tester agree on the scope of the penetration test through legal discussion. Because external penetration testing targets the externally visible servers, it may include websites, applications, users, APIs and entire networks. While some tests may target one aspect of your assets, most will take advantage of the testing to get a more holistic view of your cyber weaknesses. In compliance with CIS Control 18, conduct external pen testing at least annually.
18.3. Remediate Penetration Test Findings
The last step in penetration testing is to improve your defensive position. Prioritize the recommendations from the test and choose which ones to implement in order to reduce vulnerabilities and strengthen your enterprise’s security posture. Organizations might choose not to remediate some weak spots, especially if they score low on the CVSS and are difficult or expensive to address.
18.4. Validate Security Measures
After in-house IT pros work alongside the pen testing team to remediate issues, it’s crucial to retest the systems for verification that adequate changes have been made. Note that this validation step might require modifying the scanning techniques to best identify system weaknesses.
18.5. Perform Periodic Internal Penetration Tests
The need for internal pen testing derives from the potential of malicious or careless employees, business partners, and clients to do damage. It provides a critical complement to external pen testing. Internal pen testers target the company’s systems using internal access to the network behind the firewall. Internal pen tests help you assess the potential damage and risks to assets if an internal user exploits the system.
Like external pen tests, internal pen tests follow the seven steps laid out earlier and can be black, white or gray box. Testers will use their insider access to attempt to bypass access controls. The team may test the physical computer systems, mobile devices and security cameras, along with employee behavior and procedures. Additionally, the testers may try to exploit a scope similar to an external pen test, including wireless networks, firewalls, and intrusion detection and prevention systems, in order to reveal more potent vulnerabilities.
Summary
Penetration testing is a complex and specialized practice. Performing regular penetration testing is a critical part of data security best practices. External and internal pen tests combined can reveal vital weaknesses in IT systems, vividly demonstrate how vulnerable data and other assets are to breaches, and guide a robust remediation effort to strengthen cybersecurity.
