The Evolution Of The Penetration Test

Toby Scott-Jackson, senior security consultant at SureCloud explores how penetration testing has changed – and how it must continue changing in the future.

Penetration testing has, quite rightly, become part of the basic IT security vocabulary.  It is a core element in any organisation’s security strategy, a crucial tool in the fight against cyber criminality.  But that’s not to say that penetration testing is a static entity.  Rather, it has undergone an evolution to get to this point – and, crucially, it must continue evolving in order to continue supporting and enhancing organisations’ security postures.

To explore the future evolution of penetration testing, we must first consider how the traditional cycle looks, and what catalysed it in the first place.  The need for penetration testing is always driven by sharing of resources – by multiple users accessing one system. In years gone by, such resource-sharing might simply involve multiple users using the same database or admin system. Then came enterprise networks that link up different departments within an organization.  The internet itself is another resource-sharing innovation – and now we are moving into the next era, with the rise and rise of connected devices and the Internet of Things (IoT).

The problem is that, as soon as more than one user has a connection to the same resource, then compromising that resource without having physical access becomes possible. And because each of the innovations outlined above has been exactly that – a true innovation, deploying entirely new technology concepts – it is very difficult for IT professionals to predict the vulnerabilities that may occur.

This leads to the second stage of the penetration testing cycle – the abuse of a new system by a cybercriminal, in which a vulnerability is identified and compromised to gain access to network resources.  Following this is stage three of the cycle – the recreation of that abuse, so that security professionals can determine what those hackers can do, and how to resolve the problem.

This process of launching a new computing system, discovering unexpected bugs and flaws, and then repairing them was as true at the dawn of computer security in the 1960s as it is now, with the advent of the IoT. Nowadays, security professionals do their best to skip the abuse step, and go straight to recreating potential attacks before they occur. But the underlying logic remains the same.

New era, new challenges

The trouble is that the IoT era has thrown up some new challenges:

  1. New technologies, evolving at lightning speed. Computing has always been about change and development, but the IoT era has made that pace of change – and growth in scale and complexity – happen at a faster rate than ever before. An organisation supporting connected devices makes significant changes to its infrastructure every day.
  2. Keeping up with sophisticated adversaries and threats.  This is a pentesting challenge that has always existed, but the IoT era has amplified it enormously.
  3. Maintaining the big picture. Somewhat in opposition to the first two challenges – if organizations are continually trying to keep pace in this hugely dynamic world, how can they ensure that they retain a strategic view of IT security, which is precisely tailored to their unique context? One example of this might be native desktop applications, which are largely ignored by the major security standards across the industry, yet still process some of organizations’ most sensitive assets.

How, then, should penetration testing look now – and in the future – in order to respond to these challenges?  Here, there are three elements to consider:

  1. The big picture. Too many organizations are still too rigid in their thinking – focusing all of their testing attentions on PCI DSS compliance, for example. Other organizations overlook what happens when they pivot from one environment to another. Penetration testing strategies should be built with the widest-ranging possible view of the organization’s IT infrastructure, aims and objectives.
  2. Frequency of testing. Currently, many businesses employ a shotgun approach to their penetration testing, carrying out a planned, fixed-term testing programme once or twice a year. In the new IoT era, this needs to change.  Penetration testing must be embedded in an organization’s standard upgrade procedures, and tied to that organization’s risk appetite and exposure. Delivering this kind of frequency of testing means adopting a “pentest-as-as-service” model, replacing the outdated annual or biannual approach.
  3. Analysis and counteractions. It is crucial that businesses act in a timely and strategic manner when it comes to actually responding to their penetration test results. Findings should be rated not only on severity, but also on the practical action that the business needs to take.

Platform for pentesting evolution

One of the key challenges in expanding the types and frequency of testing is in the way the results of the test are delivered.  It’s usually done with a static PDF report or Excel spreadsheet, which then needs to be converted into actionable information and implemented.  This additional post-test work gets in the way of actually resolving the problems found by the test, because there’s only a finite amount of management time that can be allocated to this area – so testing isn’t done as frequently as it needs to be.

This challenge can be overcome by using an online management platform to provide dynamic reporting capabilities, trend analysis, remediation management workflow, and on-demand technical support.  This cuts the overhead in managing tests and results, and enables tests to be done more frequently – moving away from the traditional, fixed ‘point-in-time’ test approach, while helping to drive fixing of the vulnerabilities that are discovered, before they are exploited.  It can also support the ‘pentest-as-a-service’ approach, in which companies would subscribe to services with a guaranteed number of testing days available and use them as required, in-between regular scheduled testing.

Technology, security and cybercriminals are all continually evolving – which means that the traditional, annual or biannual penetration test is no longer an option.  With more regular check-ups on the security of their networks and applications via a platform-based approach, organisations will gain a better understanding of their business risk, and move to the next stage in the evolution of their organisations’ security.

About Toby Scott-Jackson
Toby is SenioToby Scott-Jacksonr Security Consultant at SureCloud, a supplier of Cloud-based Governance, Risk and Compliance (GRC) solutions.  Prior to co-founding SureCloud in 2006, Toby worked at AIL, an independent security consultancy where he was managing director.  Toby began his career as a programmer after graduating from Oxford University. A qualified CHECK team leader, Toby today conducts security audits and advises on vulnerabilities for SureCloud’s customers with contact centres including major retailers and financial institutions.