Penetration Testing: The Art of Cyberwar

Penetration Testing: The Art of Cyberwar

"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."

The Art of War is a Chinese military text attributed to a general and strategist called Sun Tzu, and despite being published 2,500 years ago, his words still ring true. 

This oh so easily transitions into the world of cyber security, and penetration testing in particular.

Penetrating the boardroom

Penetration testing has been standard security practice for a decade or more now, and for good reason: by simulating the kind of malicious threats faced by your organization, within a controlled and safe environment, it’s possible to expose potential vulnerabilities that could let the real bad guys in. For the most part, however, pen testing has been the domain of the large enterprise, government departments, the financial sector and those involved with critical national infrastructure. Unsurprising as those were, traditionally, where the bad guys focused their attention. As the threat landscape has broadened, so has the need to ensure that organizations across all sectors and of all sizes have as strong a security posture as possible. Pen testing needs to become a boardroom agenda item; which means that those at the top of the organizational food chain need to know what it is and the business benefits it can deliver.

The ‘what’ is covered by a simple definition: a process of identifying known vulnerabilities that could leave your organization open to attack should they be exploited by a potential threat actor. These vulnerabilities could be technical, or they could be non-technical such as the social engineering threat. The point being that, once identified, these weak points within a network infrastructure, application, process or business logic can be remediated and your overall security posture strengthened as a result. 

The bottom line

The business benefit can be harder to get across to a director with one eye on the bottom line. Yet that bottom line is actually one of the most persuasive parts of the pro-pen test argument. Forget the 'cost-per-record' for a breach where data is stolen, or even the potential fines from regulatory bodies; just a post-breach investigation, incident mitigation and reputational damage can be enough to make some businesses struggle to survive.

Ultimately the bottom line value is dependent on the type of business and what they consider to be business critical. So a banking organization may place more value in ensuring payment systems remain up, and there is business value in a pen test that may expose weaknesses that open their servers up to Denial of Service (DoS) attack. A DoS could prevent payments from being made on time, so anything that highlights these weaknesses before they are exploited is of great value to them, or any organization that needs high availability. While most organizations will see considerable business value in protecting themselves from a breach or a DoS attack, different businesses will have different priorities concerning confidentiality, availability, data protection and so on. Indeed, the ultimate value may even come from gaining something like PCI compliance, which then allows the organization to obtain business from customers that require such compliance to be held.

Mitigating risk

And that’s the real takeaway here: at the end of the day pen testing isn't all about identifying security risks, that's just the starting point. A successful pen test is one that acts as an enabler to your organization when it comes to being in the best position to deal with them. By validating the risk posed by vulnerabilities and weaknesses within your network architecture, software applications or business processes, it is possible to prioritise your remediation effort to good effect. In the context of the modern threat landscape, passive protections alone are not enough; which is why penetration testing should be viewed as part of the security solution alongside efficient incident response practices.  Here’s the thing: once you know which threats are critical, which are false positives and where the real risk lays, only then can you allocate your security budget accordingly.

None of this is rocket science, but it is the art of cyberwar...

Contact and Follow-Up

Should you require further information on any of our services please visit our contact page to get in touch.

If you want to find out more about penetration testing, we also have this white paper which you can download: Penetration Testing 101: Why it should be a key part of your Cyber Security Strategy.

CREST
CREST STAR
CHECK IT Health Check Service
CTAS - CESG Tailored Assurance Service
CBEST
Cyber Essentials
CESG Certified Product
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor