A penetration test is only as good as the person conducting it. There are gaps that a national execution standard could fill and ensure networks are equally secure.
As the number of cyber attacks increases, the demand for penetration tests – to determine the strength of a company’s defense – is also going up. People are worried about their companies’ networks and computer systems being hacked and data being stolen. Plus, many regulatory standards such PCI and HITRUST require these tests to be performed on at least an annual basis.
The demand for these tests is only going to increase as attackers get more sophisticated. And it’s essential these tests catch all possible vulnerabilities.
Benefits and gaps of penetration tests
Penetration tests involve live tests of computer networks, systems, or web applications to find potential vulnerabilities. The tester actually attempts to exploit the vulnerabilities and documents the details of the results to their client. They document how severe the vulnerabilities are and recommend the steps that should be taken in order to resolve them.
The problem, however, is that results can vary significantly depending on who performs the test. There is no comprehensive national execution standard defined to perform penetration tests. That leaves a lot of room for security vulnerabilities to be missed, which can lead to many organizations not knowing how strong their security controls are.
For example, one cybersecurity firm can test a network and identify 10 vulnerabilities, while another could find only two. This is a concern, and something should be done to address this.
Solution: National pen test execution standard
One way to close the gap on this problem is to create a national penetration test execution standard that cybersecurity testing firms would have to comply with.
This standard would need to go much further in detail than the existing NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, which provides only general guidelines for performing penetration tests. While that guide has good information, it does not go far enough in providing details on exactly what type of activities should be completed during the test and does not provide up to date information on an attacker’s behavior and how to perform it during a test.
This new standard would need to include a list of recommended tools and standard targets within environment that must be tested. It would include application and network-based requirements that must be tested on the internal and external network segments. It should also detail the various types of attacks that systems should be tested against.
The FBI and Department of Homeland Security have some of the most up-to-date information about attack tactics and can help ensure that these are covered in the testing standard.
With the basics of a penetration test complete following the standard, then companies can conduct their own, more creative tests, which are essential because many companies use their own customized tools and processes.
For a standard approach to succeed, though, the penetration test standard would have to be updated regularly. Attackers are constantly changing tactics, and those need to be incorporated as they are discovered.
Having this national penetration execution standard that cybersecurity firms follow as part of their process will help businesses appropriately assess their cyber risk so they can focus on investing their resources in areas they’re needed the most.