Let's say it's tax season. While an automated tool like TurboTax might seem like a quick and easy solution to get the tax man taken care of, when the deadline actually looms many businesses scrap the DIY approach in favor of an experienced accountant. Why? Deep down, they know that a one-size-fits-all approach isn't the answer to get the best results specific to their business's needs and industry.
The same is true of penetration testing and reporting. You can't force every business into a one-size-fits-all mold. This is a risky practice we in the security industry refer to as a "reporting mill," and in this post we'll discuss why you should be wary of them.
Before considering the drawbacks of relying on a so-called reporting mill, let's first clarify what we mean by security testing. Security testing, also known as penetration testing, sees a team of information security professionals taking an ethical hacking approach to assessing an organization's security risks.
The tester will identify and seek to penetrate vulnerabilities to help a business strengthen its security posture and develop resilience against evolving threats—exactly what a hacker does, but for good and not evil! These simulations of real-world attacks not only highlight hacking opportunities but also lead to concrete solutions on how to better prevent and protect from attacks in the future.
There are seven main areas of penetration testing any professional should consider:
Yet the goal is not simply to determine if the business can be hacked. Rather, it's to test for penetration opportunities and to identify the business risk associated with an attack. As we always say at RedTeam, we don't just point out vulnerabilities. We help you actively take the right steps to correct them.
A reporting mill typically runs through a routine checklist of possible attack vectors identifying the same security vulnerabilities over and over again. Of course, what they find is useful. Any insight into information security weaknesses or opportunities for hackers can help a business to shore up its security posture.
Yet you wouldn't settle for a doctor that diagnoses and treats a 5-year-old boy the same way they diagnose and treat a 65-year-old woman, would you? Sure, you're dealing with a doctor and there's probably some degree of usefulness to his prognosis, but it's not customized. It doesn't treat you. Likewise, businesses shouldn't settle for this type of security testing standardization.
Partnering with a penetration testing team like RedTeam that can customize its approach to your specific needs like industry, size and scope will prove more effective overall. Working with a high-touch team that remains in regular communication with your designated representative before, during, and after testing drives greater responsiveness and more effective remediation.
Many security testing mills will rely on automated testing. While automated testing enables efficiency (and we employ it ourselves as part of our comprehensive approach), it's only effective in the initial phases of penetration testing. Bad actors looking to install ransomware or hack a network or secure personally-identifying information aren't going to stop at the simple, standardized means of access. When they run into a wall, they'll figure out a way to get around it if they really want to get inside.
True penetration testing should consider the business's vulnerability to both automated and advanced manual testing. To get a full picture of the client's security posture, testers ought to use all the same tools (commercially available or internally developed) a hacker might in a real-world situation.
As one industry blogger put it, whenever "we are taking the human out of the mix, we are taking the intelligence out of the mix."
The Open Web Application Security Project is focused on providing "impartial, practical information" annually. For 2017 it identified 10 top application security vulnerabilities:
That's a lot to consider—and it's only the top 10! Obviously, then, proper penetration testing must take a comprehensive, risk-based approach to identify application-centric vulnerabilities as well as those at a system or network level. Plus, there may be device or Internet-of-Things-level risks and physical security control penetration risks to be addressed.
It's not necessarily true that a reporting mill will charge less than an industry aware security testing provider. Yet, selecting a cut-rate approach to business penetration testing can mean you're paying for cut-rate work too.
Instead, look for penetration testers drawing on deep experience and understanding of both sides of the equation. They can approach the testing environment from the perspective of hacker and software or system developer.
The best penetration testers will be informed and up-to-date regarding specific vulnerabilities in your industry. This might mean they're familiar with HIPAA, FDIC, or PCI standards, or developing attack threats specific to your industry. So, they'll know what your business requires — and can even save you money by identifying when you're getting more than you realistically need.
A reporting mill is focused exclusively on running the penetration test. Then, it's up to the customer to figure out what to do with the results. If you were faced with a 1,000-page report covering your vulnerability assessment in detail, would you know what to do with it? And even if you did, would you feasibly be able to lead the charge of your IT team following through?
Instead of getting left holding the bag, partner with a penetration testing provider that offers individualized attention, regular communication, a written report, and ongoing access to its team of information security experts. Just as there is no one individual profile out there for a hacker, there is no one single, standardized approach for testing and addressing the results.
Exposing vulnerabilities and identifying security threats should be only part of the process. Being sure you understand how to tackle remediation and can best prioritize your needs with resources and industry regulations—that should be the real deliverable you look for in selecting a testing partner.
Along with customization and regular communication from our highly trained experts, the RedTeam security testing experience doesn't end when our team files its written report. Our clients have ongoing access to ask for remediation direction, and all of our penetration testings includes remediation retesting at no additional charge.
Don't settle for a reporting mill that will treat your testing like a cookie-cutter, checklist approach. Partner instead with highly skilled penetration testers with industry-specific expertise.
Whether we're identifying application layer, network, system, or device level flaws or examining physical security controls, RedTeam recognizes we've been hired not just to find security issues but also to put you on the path to fixing them.