Proving Compliance and Security Effectiveness Through Pen Testing

Anh: You may start or you may consider getting a pen test for compliance reason, but you actually gain a lot of security and overall cyber risk management benefit from getting it done. So don't just approach it that I just need to get one done once a year. Get a pen test done. Use it as a very powerful tool in your cybersecurity arsenal to really help protect your organization data.

Jara: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is the Tea on Cybersecurity, a podcast from Trava. Not all pen tests are created equal and not every compliance certification demands the same thing, so how do you choose the right pen test for your compliance goals? On this episode, we're covering the essentials, mistakes, and how to get the most value from your pen test, no matter which certification you're going after. And to make sure we get the best understanding possible, I have two experts with me during this episode, Anh and Christina, I know you guys have been on here before, but just in case this is someone's first episode tuning in, I will have you introduce yourself, and Anh, I will go ahead and start with you.

Anh: My name is Anh. I'm currently the director of penetration testing and security at Trava. Basically what my title say, I lead the penetration testing team, serving all of our customer and I also lead our own security program internally.

Jara: You're very important here with all of us at Trava. All right, Christina, go ahead and introduce yourself.

Christina: Awesome. Well, hi everyone. My name's Christina. I am a security advisor here at Trava and also one of the members of the pen test team. So we've had much experience with various types of pen tests. Definitely looking forward to giving some insight to pen tests overall.

Jara: Fantastic. So before we go ahead and jump into the questions, I just want to make note for all of the listeners, Christina and I have actually recorded a podcast episode that went into more basics of penetration testing, so if you want a little more beginner knowledge, I would recommend you go back and listen to that. That episode title is Unveiling Vulnerabilities: The Power of Pen Testing and Cybersecurity. All right, so let's go ahead and jump in, and Anh, the first question is for you. So what is penetration testing and why is it even important for compliance?

Anh: Penetration testing or pen testing as people usually refer to is basically a simulated attack as performed by penetrating tester or ethical hackers. So these are cyber security professionals that are very specialized in finding and identifying weaknesses and exploit them in an organization against the access, environment, websites, all of that. The goal here is to find weaknesses that you may be exposed to before the bad guys do. Why it matters to compliance? So for a lot of compliance framework, they don't really just want you to say that you have control in place, but they want you to prove that your controls are effective. So a penetration test is basically a very good way of showing that, that all of your control is effective. I normally think of it as if you have a house and you put all sort of locks and things in place, a penetration test is basically hiring a professional to try to break in so that you can demonstrate all of your locks and your windows and doors are all secure. Compliance auditors like to see that.

Jara: Okay. So Christina, how do the different compliance frameworks approach penetration testing?

Christina: Absolutely. Yeah, so I'll focus on three, PCIDSS, ISO 27001, and SOC 2 as my examples. But first off, the type of pen test that you opt for can vary depending on the framework you choose, like the three I mentioned, in particular focusing on the scope of the pen test. It's important to point out though that for pen tests, they're not always going to be explicitly required for compliance frameworks. However, it is advised to perform one as opposed to alternative ways of satisfying compliance controls. For instance, using vulnerability scans, possibly requiring more evidence or the compliance requirement, and that's going to be to demonstrate sufficient vulnerability and risk management for an audit. So choosing to perform a pen test might be a bit more of a direct route to getting the evidence you need for the framework you choose. So for PCIDSS, and that's a long acronym, I'll explain what that is. That's Payment Card Industry Data Security Standard. So that framework is actually one of the ones that does require a pen test to be performed. So this framework was designed to focus on the security of payment card account data, so any companies that manage and maintain credit card data, and the scope is going to be very specific for that framework. For the other two frameworks, it's not an explicit requirement to perform a penetration test. It's not mandated, but for both of these, it is something that is recognized to be good to perform in terms of overall security and satisfying those compliance requirements. Various pen test types can be chosen for either of those two frameworks. So for instance, let's say you have a web application, a storefront application. A web app pen test is going to be more suitable for you. If you have systems that are directly reachable via the internet, external is something you would choose. If you want to see how an attacker would cause disruption if they gained access to your internal network, you'd choose an internal pen test. You're not limited to one for the frameworks that I listed, but definitely something that you should look into if you're going to look towards some of those frameworks I mentioned.

Jara: Okay. So Anh, Christina just mentioned vulnerability scans. Can you go in what the difference is between vulnerability scans and penetration tests?

Anh: Definitely, and it's a very good question because a lot of people in the industry still seem to be very confused or just cannot distinguish between these two very important but different concepts. A vulnerability scan it basically using a tool to look for a launch problem. So these are things that people know about, they have developed signature for, very easy to detect, very surface level check against your application, your network, anything that can be scanned. It's automated mostly, it's fast, it's useful, and you can run a software as you like. But again, the key here is it looks for known problems and operate at a more surface level. A penetration test go deeper. In a penetration test, you have a real security professional with background and knowledge and technical tool, different tool that they use to try to look for unknown problems. And these unknown problems can be in the form of a new vulnerability altogether that has never been discovered or just a novel way of changing and combining different non vulnerability to create a new attack path. So penetration testing go a lot deeper. It doesn't just look at your surface and say that you have this weakness, this weakness, this weakness. It's actually trying to see, in a penetration test, a professional would try and see if they can use those weaknesses to penetrate your system, gain access to your data, compromise your crown jewel. A good analogy that I usually use for customers, think of your security program or your application as a building, right? So you have a door and windows that guard your building. A vulnerability scan, you're basically walking around looking at windows, and should make guesses like that windows look a little thinner, the glass looks a little thinner than usual, so it's probably weak. This door is not made from carbon steel, so it's probably weak. A penetration test is having somebody actually climb up, if they can circumvent the windows anyway. If they cannot, then they go off to the roof and see another way of getting in. Can they dig under the ground and get in? It involves a lot more creativity and go a lot deeper and that's the surface level.

Jara: Okay. So I know that there are different types of penetration testing and I know we even mentioned earlier that they're not all created equal. So when it comes to the types of penetration tests that we see most often, again, it differs for every company's needs, what is that one we typically see? Christine, I'll let you answer that one.

Christina: Yeah. So for the small to medium- sized organizations that we work with on a regular basis, one of the most commonly requested pen tests that is asked for is a web application pen test. So this is going to be for organizations that have a site, an application that is on the internet that users and customers interact with to either pull data, get information, utilize their services from, and so the web app pen test is going to test the overall security of the application to make sure that data is protected. And so there are some categories that are evaluated, but overall, it's to make sure that the application is secure, data is maintained, and that the reputation of the organization is also trusted.

Jara: Yeah, reputation's big, so that's definitely an important one. All right, Christina, next question's for you as well, and Anh, please chime in if you have anything to add. So how often should organizations conduct penetration tests when it comes to maintaining compliance?

Christina: So annually is going to be the standard recommendation, and you're going to see that across compliance frameworks, so it's not just for one, that's the common standard. There are times that it could be relevant to schedule more than one per year, and so for instance, that could be if there was significant infrastructure changes made to your environment, that you'd want to reevaluate your new infrastructure to ensure that best security practices were followed when the changes were pushed. That is definitely one reason behind doing more than one pen test per year. If your organization encountered a data breach, that could be another reason why you'd want to schedule another pen test to follow up and make sure that you've done all the necessary precautions to ensure that the breach doesn't occur again. You do want to make sure that you're keeping time for remediating the pen test findings that were detected when the pen test was performed, so it wouldn't be worthwhile to schedule another pen test if the findings that were detected initially haven't been remediated yet. So making sure you're giving your organization enough time to perform the pen test, remediate findings, and then determine the best cadence for when the next one should be performed. But to sum it up, annual is the standard and then there can be areas when you would need another one throughout the year.

Jara: All right. So you just mentioned a term and I have to clarify what it means. So remediation, remediate, remediating, what is that?

Christina: Absolutely. So remediate is to ensure that the vulnerability, the exploitation that has been detected is fully resolved within the environment that we've detected it against. So making sure that we no longer see that vulnerability or exploit anymore is when full remediation would occur.

Jara: All right, fantastic. Thank you. So Anh, what should companies look for when choosing a penetration testing vendor for compliance purposes?

Anh: Yeah, that's a good question. I'm going to answer that in the context of what your company should look for when choosing a penetration testing vendor, and a lot of people are going to be somewhat displeased with me for saying this, is look for credentials, right? Look for a firm with testers that hold respected cybersecurity penetration testing credentials like the Offensive Security Certified Penetration Tester certification from CREST Organization from the UK or other reputable certification bodies. They are, as what every certification is, they've proved that these testers that have gone to trending, have the knowledge necessary to perform testing, and they can do a good job on penetration testing your system. You also want to look for a company with a little more experience under their belt. So they've been doing this for a while, maybe not pen testing specific, but they have been in the industry for a while. Their leader have security background, things like that. The second thing, and this is very important for especially small to medium sized company, is you want to look for a vendor that's willing to help you properly scope your penetration test engagement. Because a lot of vendors will just go to you and just tell you, " You need this, this, and this and this," and they may not be applicable to your environment, and you don't want to be overpaying for your pen test, especially if you operate on a high budget. So look for vendors that are willing to sit down, listen to you, learn about your environment and help you properly scope your engagement so that it makes sense for you. The third thing is you want to find vendors that prove or demonstrate that they will continue to provide support after the initial testing. So this really goes back to remediation. A lot of smaller to medium size businesses don't necessarily have the in- house expertise. Remediate findings or put in control or implementing safeguards, things like that, you want to have a pen test vendor that actually helps your internal team implement those. Be ready to answer question, give them advice if they don't know where to start, things like that, and also provide retest support. There are vendors out there that will charge you for a retest, so look for vendors that have all of that bundled together so you don't get a surprise charge at the end of your engagement. And lastly, this is very important too, look for vendors that communicate well. Vendors that be honest with showcase the methodology, showcase their report, be willing to share how they approach testing, different test types that they do, be willing to showcase their team, things like that. Vendors that are more willing to showcase and communicate clearly about the process are probably the ones that you want do your pen test.

Jara: All right. Christina, do you have any tips or anything to add to that?

Christina: I'm definitely reiterate everything that Anh mentioned. One thing I do want to call out is you definitely want to be looking for a vendor that is going to follow industry recognized standards, and also training resources, making sure that their pen testers are up- to- date on the latest and greatest ways of performing the pen test. So making sure that everything that Anh said, and then also looking for an organization that follows what's currently in the industry.

Jara: And one thing I've definitely learned is that cybersecurity is always changing, so you definitely need to be up- to- date in what's happening. All right. So how can small businesses on a tight budget effectively use penetration testing for compliance? And Anh, I kind of feel like you were touching on this a bit ago, so can you go ahead and answer that question?

Anh: Sure. So again, for small to medium- sized businesses, they most often or if not always operate on a tight budget, right? So approaching a pen test, especially if you have diverse environment with different kinds of assets can be expensive. The first key priority is to make sure that you be strategic about how you get your pen test done. Prioritize my asset, identify the things that are most important to you. That would be the system that handles sensitive data, system that really are critical to your business operation, so if you don't have them and they get compromised, you wouldn't be able to do business. And try to scope your pen test around those systems first to make sure that you address your most risky area to begin with. You also want to look for vendor who can help you scope test. You want to look for vendor who will take the time to learn your goal and your objective for security and compliance as a whole, so if you try to get SOC 2, you probably are looking at things like web application, external pen tests or cloud security assessment. You most likely don't need mobile pen tests or social engineering, at least at first. So look for vendors that are willing to work with you to properly scope. And there are also penetration testing as a service. These are services that have recently been introduced to be more of an ongoing subscription packages or penetration tests, and these pen tests are usually broken down into smaller parts that get performed throughout the year. So you have a fixed cost that you operate with, you know what to expect, you have regular testing done, so it's easier to work with a tight budget. And then if you have a very large environment and you know that you have a lot of pen tests that need to be done and different test types, just phase them out. Phase them out in a way that makes sense for your cybersecurity program and also for your budget, because if you get all of them done right away, there's no guarantee that your team is ready to handle and fix everything. So again, focus on what matters most first, do those testing and then slowly incorporate more testing later on.

Jara: All right. Yeah, that is super helpful. So Christina, Anh mentioned the importance of scoping several times, so what are some common mistakes companies make when scoping a pen test for compliance?

Christina: Absolutely. So the first one I would say is if systems or environments aren't prepared or ready for testing. So we would want to make sure that the environments that we are evaluating are up and running and available, and so if there is an asset that would not be prepared for performing a pen test against and that was included in scope, that might hurt the overall engagement time since we would want to make sure that a full evaluation is completed when performing a pen test. So making sure all your assets are ready to go when the pen test is ready to be kicked off and the engagement is ready to be started. There's another thing I'm going to mention. It's not necessarily a mistake, but specifically for web app pen tests, since that is something that we highlighted previously in the talk. If you're conducting a web app pen test on a production environment, that could potentially limit the pen tester to what they would perform and what they can test. So there's also a possibility that the pen tester could cause availability issues when testing or data could be affected. It's recommended that if you had a building out, a testing, a staging environment, if not already done so, and having that readily accessible so that the pen tester has complete capability to test all areas of the application to the full extent and they don't miss anything. And then a little bit outside of scoping, but do want to mention that it's not necessarily a bad thing to have a pen test that has a lot of findings. So I wouldn't say that expectations in the initial phases should be that the pen test is going to be clean or the pen test is going to have X amount of findings. It's very good to be open- minded. This is going to be a good practice for maintaining security of your assets, and so not having those expectations in the initial phases of thinking about a pen test would be recommended as well.

Jara: All right. And that's another thing that I've actually learned about cybersecurity and everything. You can't protect what you don't know, so the pen test will just help unveil some things. So Anh, back to you. How can penetration testing support overall cybersecurity risk management beyond just meeting compliance standards?

Anh: In our daily practice, I think a lot of company usually approach us for pen testing due to compliance reason, but that's not the only reason to get pen tests done. Once again, going back to the degree definition of penetration tests is you are getting this deep expert level assessment of your security program, of all of your assets, all the defense that you have in place. So it actually helps your overall cybersecurity and risk management program, because once again, what you said was 100% spot on, Jara, what you don't know, you can't protect. So having a pen test giving you that additional visibility into different tech path that a normal vulnerability scan or a normal surface level assessment wouldn't reveal, and it allows you to prioritize your risk, maybe look at your risk in a different lens or view, see things that you weren't expecting before, and that help you improve your overall cybersecurity program by spending resource to put in control where it matters. Once you have all of these, your cybersecurity posture and risk plan now, it can also help you prioritize your effort too. Again, what I just mentioned, just for you if you have unlimited money to work with, but if you don't, getting a pen test done allows you to really drill in on the most risky area in your cybersecurity posture. Things that are getting proven that can be exploited by attackers, because it's getting tested by what a normal attacker... It's getting tested by somebody who's represent Black Cat Hacker. A pen test can also help view awareness across your security team. You have your penetration tester, especially vendors that, again, are willing to stick with you and help guide you to remediation and improvement. They can provide invaluable knowledge to your developers on how to code securely, how to implement different testing in your software development cycle, how to approach different frameworks. They can help educate your internal IT team on how to find misconfiguration before it get applied. They can also help your leadership team understand what your real risks are and how to approach them and how to remediate them. There's a lot of value that comes with pen testing besides just checking a box for compliance.

Christina: Touching upon what Anh just mentioned, pen tests simulate real world attacks, so things that actual attackers would perform against your assets. The difference is that the attack that we would be performing is going to be in a controlled environment where there's no intent to cause disruption to your organization's reputation or assets. So like we all said, it's better to know where your assets are vulnerable, looking from an attack perspective, and ensuring that you're doing the best that you can to protect your employees as well as customers. So catching vulnerabilities and exploits early on is definitely something that will help lower the security and business risk.

Jara: We definitely just covered a lot here, so before we wrap up, is there anything else that you would like to add or just really make sure that our listeners get? Anh, I'll come to you first.

Anh: I think I would just like to reiterate a couple of points, my main points I touched on. You may start or you may consider getting a pen test for compliance reason, but you actually gain a lot of security and overall cyber risk management benefit from getting it done. So don't just approach it that I just need to get one done once a year. Get a pen test done, use it as a very powerful tool in your cybersecurity tool arsenal to really help protect your organization data.

Jara: Christine, is there anything else that you would like to add before we wrap up?

Christina: Absolutely. So having a pen test isn't a daunting feat. It's definitely something that is going to help your organization maintain overall security and make sure that you're implementing best practices for your organization. It's not necessarily something that should be looked at as a chore. It can be something that will really help overall maintain what you'd like to see for your organization and streamline you into growing your business, so I definitely recommend having a pen test conducted, and we can definitely help with that.

Jara: Trava can absolutely help with that. You can work directly with Anh and Christina and another team member. All right, you two, I appreciate your knowledge and time, and thanks for teaching me about penetration testing as it is related to compliance. Thank you. Now that we've spilled the tea on penetration testing and compliance, it's time to go over the receipts. Anh and Christina are very knowledgeable and I definitely enjoyed my conversation with the two of them. We covered a lot of information, but I did grab a couple of things that really stuck out to me. So the first receipt that I have is what is penetration testing and how does it relate to compliance? So pen testing is another way that people refer to penetration testing, is a simulated attack and it is an effective way to prove that your controls, your cybersecurity controls are effective, which is the point of a compliance certification. Another receipt that I have is the difference between vulnerability scans versus penetration tests. Anh stated that vulnerability scans can be automated and fast, but they really just scratch the surface to what's there. A pen test really goes a lot deeper to try to figure out where those big vulnerabilities are and how someone may even get in and potentially disrupt your business. I also asked how often it makes the most sense to perform a pen test when it comes to compliance, and Christina let me know that it is common across all compliance certifications to at least do this annually. But she also stated that if you have any major infrastructure changes, you should probably hire someone to perform a pen test, as well as if you have a data breach and you think you have solved the problem, it's common and best practices to then perform another pen test to make sure that that vulnerability is no longer there. The final receipt that I have for this episode is related to what people should look for when choosing a pen test vendor, and Anh stated that it's important for small to medium-sized businesses to find a vendor that is really willing to help properly scope. You don't want to work with someone that's adding additional things that aren't completely necessary, especially if you are on a tight budget. I hope that you got as much from this conversation as I did, and if you have any other questions, please reach out to us. Thank you. And that's the Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.