What is penetration testing, and how do I know if I'm getting value out of my penetration test?
Penetration testing is a type of security test where an organization stimulates an active hacker targeting your environment in a safe and controlled way. It is also sometimes called ethical hacking. The reason that organizations should regularly conduct penetration tests is because you simply do not want criminals to be the first test to your security.
When it comes to a penetration test, there are goals that should be met from your testing. These goals are a good way of making sure you’re getting the most value out of your penetration test.
There are 4 goals we focus on at Craft Compliance: vulnerability, exploitability, alertness, and responsiveness. (Or VEAR for short, which sounds a bit catchier anyways.)
Each time your organization conducts a penetration test you should ask yourself the following questions to ensure each goal has been met:
1. How vulnerable are we?
First, you’ll want to identify technical weaknesses and vulnerabilities that can be exploited, this includes human weaknesses where possible. These will be publicly known issues that any vulnerability scanner should be able to identify based on software version numbers but will also include business logic issues, missing authentication or authorization controls, and other security issues that only a manual tester can find.
2. How exploitable are we?
To identify how exploitable your security environment is, you’ll need to evaluate the escalation paths across your environment from an exploited vulnerability. This is also a good indication of the impact of an exploited vulnerability and a much better indicator of risk than a raw CVSS score.
3. How alert are we?
To test your alertness, you’ll need to identify whether your security tools are alerting when a vulnerability is identified or exploited during penetration tests. Any vendor should be able to provide enough detail in the report or in follow up notes to give you timestamps, code, programs run, etc. to help you verify whether your tools are alerting as expected.
4. How responsive are we?
You’ll need to identify whether your security procedures for responding to alerts are followed or whether there are gaps. Then determine if your team meets SLAs as appropriate and if escalation paths make sense.
Red Team Vs. Blue Team Penetration Testing
You can rest assured knowing these goals make sure you’re doing proper Red Team and Blue Team testing. The Red Team’s objective is to improve cybersecurity by showing the impacts of successful attacks and what works for the defenders in an operational environment. So the Red Team testing covers vulnerability and exploitability (or the ‘VE’ in the acronym we mentioned above).
The Blue Team, on the other hand, identifies security risks and threats within the operating environment as well as analyzes the network environment and its current state of security readiness. The Blue Team testing covers the alertness and responsiveness (or the ‘AR’ in the acronym).
Does your security VEAR from best practice?
Our security framework and technical security services are focused on providing tangible and meaningful contributions to your program. We work closely with you to ensure you understand every step of the process and corresponding results. Our testing methodology is always based on industry standards and satisfies requirements for all major compliance frameworks.
You can learn more about our security services on our website or contact us for more information on how we can help your organization!