Leveraging the Value of Penetration Testing Services

Rob Hughes


Today, data loss prevention (DLP) is the business of every business. From CEOs of large global enterprises to owners of mid-market organizations, every company leader has reasons to be up at night thinking about the security of their data.

And when the CEO worries, everyone worries. And with good reason; the costs of a data breach can be catastrophic—and those costs and consequences often stretch over a long period—2 years or more in some cases, according to the 2019 Cost of a Data Breach Report from IBM and the Ponemon Institute.

According to this year’s report, malicious or criminal attacks accounted for 51% of data breaches in the past year. To defend against that intentional targeting, companies need to focus their time and effort on remediating the security gaps that an attacker would seek when profiling a system—and mitigating the opportunity for secondary attacks that would follow a successful exploit.
Penetration testing is the first place to start finding those vulnerabilities and prioritizing fixes. The value of a pen test depends on the quality of information you get from it—and how you apply what you learn.

Keeping Up with Cybercrime: The Challenge of Data Loss Prevention

Focused data security monitoring and targeted mitigation and DLP is essential today because attackers have become extremely sophisticated. Methods such as phishing—which most users expect to be cringingly easy to spot—are now extremely convincing and, when targeted to specific users, can be surprisingly effective.

Even more concerning is the level of organization among cybercrime networks. The dark web enables intricate covert communication among attack groups, who devise coordinated and highly targeted attacks. Attackers leverage open-source intelligence to gather information about a target, then share that information online through social networks. Software as a Service (SaaS) applications are available on the dark web to enable criminal networking and allow even unskilled attackers to perform advanced tactics for infiltrating an organization’s systems.
All this means that a determined attacker has many more options for capturing critical and sensitive information—and the number of attacks is increasing.

Why Pen Testing Isn’t a DIY

The sophistication of cybercriminals and the complexity of mitigating vulnerabilities means that your company’s risk analysis must be highly specific—and it has to provide information that you can act on quickly to prove compliance and ensure your data protection measures are adequate.

Traditional, automated vulnerability assessment tools do not provide this type of holistic risk analysis. Artificial Intelligence (AI) is not yet sophisticated enough to think like a cybercriminal, and many tools create more complexity and work for information security teams by delivering a vast amount of information without first separating false and true vulnerabilities.

However, an experienced and highly skilled pen tester is able to think like an attacker and move through the cyber-kill chain methodically and effectively. Pen testing provided by an experienced, specialized tester delivers the focused insights required for an accurate and actionable risk analysis.

That deep-dive analysis enables companies to focus their time and effort on remediating real vulnerabilities rather than expending resources sifting through scattershot issues.

No Two Pen Tests Are the Same: How a Pen Tester Addresses Your Business Needs

In any given project, an experienced pen tester can cover a range of penetration testing across a wide range of business needs. Because each company has particular requirements they must meet, the day-to-day job of a tester can be extremely varied. Some days, the tester may be working at a client’s site testing physical security, which can be extremely exciting. Other days, they can be based remotely, performing a mobile application security assessment that requires a high degree of concentration to ensure the full Open Web Application Security Project (OWASP) methodology is covered.

Regardless of the type of test, clients should expect visibility into the testing process. During the assessment, testers use proprietary tools to capture and record issues that can quickly be turned into a daily update summary report. This summary allows a client to review findings in real time so that they can ask any questions or work on remediating serious issues immediately. The testing team should also be available to host a daily debrief or facilitate washdown meetings to discuss the daily findings.

At the end of an assessment, the test lead pulls all of the test results and produces a final report. One of the most important areas of the final report is the executive summary section, which should present high-level information in an accessible and concise form so that executive decision makers can use the information effectively.

The Pen Test Is Just the Beginning

For some organizations, penetration testing is a requirement for regulatory or governance compliance. But organizations are most successful with their data protection programs when they realize that the pen test is not just a box to check, but a valuable tool for ongoing protection.

The most important way companies can use penetration test results is by performing risk management activity that classifies and prioritizes risks:

  • Remediating risks—Closing gaps quickly to eliminate vulnerabilities that present a true threat.
  • Mitigating risks—Understanding where new potential vulnerabilities may arise and putting measures in place to prevent those gaps from opening up.
  • Accepting risks—To support business needs for using and sharing data, some risk is unavoidable. But monitoring those risk areas helps to minimize the potential costs.

Your pen test team leader should be able to provide consultative assistance to help guide you in remediation of issues that the test reveals. And if you need to provide proof of compliance, your tester can design recommendations that specifically address the compliance standards.

But remember that the value of penetration testing goes far beyond a compliance checkbox. Leverage the expertise of your pen testing service provider to learn how to apply targeted data protection measures that will strengthen your company’s overall security posture.

Close Data Security Gaps

InteliSecure’s skilled penetration test partners at Rootshell can perform a variety of different types of testing, including but not limited to: infrastructure assessments; web, mobile, and desktop application assessments; red and purple teaming; standalone phishing assessment; build and configuration reviews; and Simulated Targeted Attack and Response (STAR) scenarios. Contact us to get a custom testing approach for your company.