Penetration Testing and Validating Security Controls
Sometimes our security controls can make us feel confident. Yet other times that confidence can prove to be badly misplaced.
Consider the case of a Big Three credit bureau that was victimized by a massive data breach in late 2017. After public alerts were issued identifying a serious vulnerability in a popular web application, this credit bureau ran a series of vulnerability scans to see if their security was compromised by this newly-public issue.
The scans were reassuring. After several rounds of scanning occurring across more than a week, no vulnerabilities were uncovered. Shortly thereafter, 140 million-plus sensitive consumer records were exposed by a credit bureau server running that vulnerable web application.
Ultimately, the scans gave a false sense of security. So what else can we do in terms of cybersecurity validation to ensure something like this doesn’t occur?
Let’s take a closer look.
Automated Penetration Testing and the Validation of Security Controls
Vulnerability scans play a critical role in managing risk, yet they are imperfect instruments. Sometimes they fail to identify known vulnerabilities or misconfigurations.
To lower the odds of such scenarios unfolding, it’s advisable to create a detailed record of assets. This type of inventory can help quickly identify any systems that may be vulnerable to newly publicized threats. This record can also make it easier to track the testing and application of patches or any other mitigation measures undertaken to resolve the threats.
These basic steps should be supported by something else, however: Cyber penetration testing. In the example of the credit bureau cited above, a penetration test could have helped identify the security issue that the vulnerability scanners failed to uncover.
Red team security testing, for example, would have provided another, more thorough layer of analysis and evaluation, helping to validate whether deployed controls were truly providing effective security. Rather than running a simple scan, these exercises allow skilled professionals to act as “ethical hackers” and attempt to breach an environment using a variety of tactics. Red teams not only uncover vulnerabilities, but they also identify how these gaps are likely to be leveraged and the possible risks associated with a successful attack.
There is, however, a catch: Red team security testing is limited by being manual and resource-intensive. For comprehensive coverage, automation is essential.
The Need for Continuous Security Validation
Automated security testing takes the benefits of conventional penetration testing and extends them much further. Today’s breach and attack (BAS) platforms are one powerful example of this. These platforms run continuous, simulated attacks against security environments, mimicking the mindsets and techniques of attackers to root out any hidden vulnerabilities. In other words, they operate just like an exceptionally skilled red team — but one that never rests.
Large, complex and dynamic networks are innately challenging to manage. The risks of human error and misconfigurations increase the stakes even higher. The tools being used to assess vulnerability and risk are imperfect. The only answer to this challenge is continuous security validation.
Automated testing is perhaps the most impactful tool we have to accomplish that task — which means that IT managers and CISOs should strongly consider using BAS technology to control risk and optimize their security postures.
As seen in the example above, “trust but verify” is a core concept when it comes to security controls. Complacency generated by false confidence can lead to disastrous outcomes.
Automated security testing in the form of modern BAS platforms is one of the most effective ways to ensure that vulnerabilities are controlled, and risk is managed, on a continuous basis.
XM Cyber has created the most advanced BAS solution within the market, offering fully automated protection in multiple environments.
Shahar Solomon is Customer Operations Manager, XM Cyber