Specifically, a tool that assesses risk to our business by taking a real-world approach to finding and exploiting weaknesses in our security controls, policies, and practices. Implementing security controls to mitigate risk in our business without performing penetration tests would be similar to putting airbags in a new car model and shipping it without crash-testing to make sure they go off in the correct way and at the correct time. Sure we can rely-on and trust our defense-in-depth security strategies, but all defenses require skilled humans to configure them appropriately to each unique environment, compounding likelihood of human error. Regular penetration assessments can help find missed, overlooked, or ineffective configurations before they can be exploited.
If we have heard it once we have heard it a million times. 'What is the Cost-Benefit Analysis?'. We will touch on this more in depth in another post, but for now what are the key factors to keep in mind for penetration assessment CBAs? According to IBM's "Cost of Data Breach Report 2023", the average cost of a data breach in the US is just shy of $9.5M. The most-expensive, full-scope penetration assessments for an average SMB wouldn't touch 10% of that figure in 10 years. Do we have security tools, policies, and practices in place to be validated? Do we have any obligations from governing bodies, auditing bodies, insurance policies, or clients? Are there verticals that we will be barred-from or granted-access-to by omitting or taking this course-of-action?
First we have to understand our business objectives, the critical components to meeting those objectives, the security systems around those components, and whether we handle any sensitive data (PII, HIPPA, financial data, CUI, etc.). Choosing a partner organization that understands these is critical when purchasing a penetration assessment, and a great organization will be able to help us determine these criteria if we haven't yet.
Once we define these criteria, we can start to understand better what aspects of our company are likely to incur the most risk to our business when attacked, which gives us the priority, type, and scope of penetration assessments needed. Once we receive the results of the penetration assessments and digest them, we should have a fairly solidified understanding of how our current security strategies are holding up under pressure, as well as where some of our weaknesses are. One thing we need to keep in mind is that penetration assessments findings (or lack thereof) are indicators of risk, not guarantors of security.
I cannot tell you how many times I have reviewed proposals for penetration assessments only to find out they were trying to sell me an environment scan; so how do we weed out scans and at the same time recognize a high-quality vendor? There are several indicators that can help us with this goal in mind, and as you have probably guessed, I am covering this topic even more in-depth in another post. One of the easiest ways to find this out is to ask for a sample report as part of our Request for Proposal.
Any valid service will have these ready to hand out and will be ecstatic that we asked for it up front! In addition to a sample report, we should see pen testing-relevant certifications from their team (most proposals include some form of qualifications section), a verifiable-history of the company working in the cyber-security space, and quite frankly a price that matches.
If you are looking for a partner to help you understand and mitigate actual security risk to your company, click here to schedule a free pen testing consultation. If you are looking for more information on this topic and many more, please check out our other blog entries here.