On occasion, we get clients who are concerned about some of the stereotypes that they may read about or hear when it comes to a penetration test. While a penetration test may be us attacking your infrastructure, we are not your adversaries. Your company made the security-mature decision of soliciting security testing, and it is important to us that we help secure your environments in a way that concerns full-spectrum security challenges. In this blog, we’ll talk about some of those concerns.
They Say It’s Cheating
We say it is value-added. Sure, an attacker may have to spend weeks or months slowly grinding away before possibly gaining access to valid account credentials through phishing or password spraying. But when you buy a penetration test from any company, you are trading your money for testing time. We prioritize our time based on desired outcomes and objectives within the project scope. Many objectives, such as testing for Multi-Factor Authentication usage and quality, require credentials, so does checking for account segmentation, information segmentation, and weak privilege management.
We don’t have weeks or months to try to gain access. We’ve been paid for a few days of work and have to do more than simply attack the login panel.
They Say Attackers Don’t Have Credentials
Sure, an external attacker may not have credentials and would have to find a way to obtain them through a primary attack, such as social engineering or password spraying. That said, Matt in Accounting has an account and access to the company’s books. Matt is pretty upset that you’ve chosen to rescind the work-from-home policy after he and his family decided to buy a new home in another city.
Matt would be an example of an “Insider Threat.” The Cybersecurity & Infrastructure Security Agency (CISA) provides that “Insider threats present a complex and dynamic risk affecting the public and private domains of all critical infrastructure sectors.”
They Say It Will Get Them in Trouble
Sure, while insufficient security policies may result in discipline, the real finger pointing starts when a company lands in the news, or worse, civil or criminal court. Just saying your company has had a penetration test isn’t doing enough due diligence. The pentest report will outline clearly what expectations were given with the assessment. If your organization has chosen not to provide credentials for testing, that will be noted in the report. At TCM Security, we provide a statement in our executive summaries that cover this. That statement always recommends that you conduct additional, credentialed testing because there could be additional attack pathways that require credentials.
They Say It Doesn’t Align with Testing Goals
A goal that does the bare minimum may not be the best bar to set for the organization. We can agree that when your organization regularly engages a security company to perform both authenticated and unauthenticated testing, conducting an unauthenticated engagement would be beneficial. This is good defense in depth and helps with the overall maturity of your organization. But if the goal is to always conduct unauthenticated testing, your organization is at risk. We recommend for every unauthenticated assessment you conduct, that another one with credentialed access is provided.
What’s the Right Answer
Good policymaking begins with eliminating stereotypes and being objective about organizational goals. Your company is hiring TCM Security not only to test for weaknesses, but also consult on security best practices and better understand the security vulnerability landscape. We are here to help you craft strong testing objectives and goals, and to help navigate how to communicate vulnerabilities in order to ensure remediation.
Let us help you with navigating your next security assessment. Contact us at info@tcm-sec.com to get started or fill out the form below.
References used in this article
https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats