The Dangers of PCI-Only Pen Tests
In my 11 years of helping customers pen test their network, oftentimes I have seen that companies choose to test only the bare minimum. I understand that companies have a need to satisfy some compliance like PCI or reassure customers and security budgets can be tight. However, why not get more value out of your pen test?
Artificially constrained tests may seem reasonable, cheap and quick. However they create a false sense of security and really don’t give insight into true technical risks. You are already paying the money for a test, why not broaden the scope for a little more money? The benefits outweigh the costs:
- You'll be doing your company a better service by testing for real-world risk at the same time you satisfy customer requests or PCI compliance.
- You’ll understand how your security posture looks through the eyes of a hacker using modern Tactics, Techniques and Procedures to breach your systems.
- You’ll have an effective way to test your detection capabilities against a professional adversary attempting to exfiltrate data without being noticed.
- You’ll get an understanding of real risk which will help you prioritize what you need to fix and budget in the future.
- You’ll boost your career and visibility in your company. Contrary to popular belief, understanding real risk is a career builder. It's better to know what's out there and what you need to do to fix it. Board members want to know risk, it’s a big part of their motivation. If you get an understanding of real risk, you can have the chance to communicate that to board members get them on your side. A career ending move would be to stick your head in the sand and then have a breach; board members don’t like surprises.
- You’ll help your budget. A real-world pen test will help you understand true risks so you can prioritize an action list for improving security. This plan is what board members are looking for and is a good way to enlist their help hint BUDGET. Otherwise, they assume all is good and will continue on with the same bare minimum budget.
Defenders think in terms of lists and hackers think in terms of diagrams for the target. Commodity pen testing is again thinking in terms of a list. If a vendor asks “How many external IPs do you have?” you should automatically eliminate that vendor. That question points to a commodity pen test. How often do real hackers ask or receive that information? Commodity vendors are taking customer money to just provide a scan + exploit. I call that approach the “Scan+Exploit+Report+Invoice” approach. Would a real hacker approach a target in such a manner in today’s world of strong security and awareness? It really upsets me that vendors collect a check and just go through the motions. A good security steward needs to understand their real-world risks. Passing a quick test or being compliant doesn't necessarily mean you're secure; just ask Equifax, Target or other recently breached companies.
Often, my company tests after a commodity pen tester and we find all kinds issues that they missed. Customers will say “We’ve been using XYZ for years, and they never found anything like this.” Of course we found more, we think and act like hackers. It would be terrible if a customer planned their security around the commodity pen test that missed something important and then were breached. That would create some very hard questions from executives.
At NetWorks Group we love pen testing and see it as a valuable exercise. Give us a call and we’ll show you how we help customers understand real-world risks and how you’ll look to a hacker.