The first time I ever saw a real pro break into a computer system was in Robert Morris Sr.’s office at Bell Labs in 1986. One afternoon, he invited several of us to gather round his glowing VT-100. We watched as he tapped terse line commands over a cell network called Datakit into a Bell Labs VAX 11/780 running Unix System V. He tapped some more, and within minutes, he leaned back, smiled, and pointed to the familiar root prompt. Game, set, and match.
It has since become clear to me that this super cool process of breaking into systems to improve security, now known as penetration testing, is a noble pursuit. Accordingly, during these past decades, I’ve probably been involved in as many pen tests as any person I know, although admittedly as the proverbial clueless manager, rather than as the expert behind the keyboard.
To that end, I thought it useful to share three management tips I discovered during a career’s worth of engagements. These tips were culled from the smooth mahogany surface of my executive desk, so don’t expect any Metasploit configuration tips in this article. Rather, I offer suggestions for decision-makers on how to optimize the benefits of pen tests. I hope you find them useful.
Tip 1: Focus on Existence Rather Than Absence Proofs. It’s a rookie security management mistake to believe that pen tests prove the absence of security vulnerabilities. Instead, they demonstrate the existence of problems, and can do so ad infinitum. This may seem an exaggeration, but good pen testers can drop their test ladle into your system soup as many times as you like, always pulling up something interesting.
So, if you plan to remove all your vulnerabilities via pen tests, then get ready to empty your budget. Instead, use the technique as a weapon to demonstrate, when necessary, the existence of problems. Having trouble getting the marketing team to follow policy? Well, then, drop a pen test report on their manager’s desk exposing some doozies. Having trouble getting budget from your CFO? No problem – point a pen test at their finance apps and watch the funding flow.
Tip 2: Find a Trusted Testing Partner and Invest in the Relationship. When you find an excellent pen testing partner, presumably through trial and error, stick with this partner and invest in the relationship. I have found that with subsequent test activities, a true pen test partner will learn your culture, infrastructure, and support systems. Such insight is valuable in establishing more accurate test results.
I’ve heard it suggested that diverse groups should perform tests to gain varying perspectives. My experience is that this drives up cost and reduces contextual knowledge. Instead, find a great partner and invest in the relationship. Have them meet your managers, get to know your engineers, and attend private briefings on your infrastructure. This requires time and effort, but it will pay off in the long run.
Tip 3: Demand to See Under the Testing Hood. Too many pen tests are executed black box. This is particularly true for buyers with non-technical staff and modest budgets. In such cases, the in-house ability to ask probing questions about methodology, policy, and tools might be lacking. This is unfortunate, because managers should have a detailed understanding of exactly how tests are being performed.
Suppose, for example, a popular test suite is exposed to have malware. Knowing immediately whether your test team used these tools on some previous engagement is vital. Furthermore, the determination as to whether a pen test has become too aggressive should be based on your culture and your risk tolerance. Unless you are directly engaged, the wrong decision might be made.
As suggested above, these tips are offered to assist the pen test management team. Clearly, experiences will vary based on local infrastructure, but it’s been my observation and experience that following these guidelines will reduce risk, improve results, and help the cyber security team maximize value from this important task.
Good luck managing your next penetration testing activities!
- by Edward Amoroso, Founder & CEO, TAG Cyber LLC