PC PORTAL

Experienced. Trusted. Solutions.

Skills

By

Pen testing: why do you need it, and five steps to doing it right

Penetration testing can contribute a lot to an organisation’s security by helping to identify potential weaknesses. But for it to be truly valuable, it needs to happen in the context of the business.

I asked Brian Honan, CEO of BH Consulting, to explain the value of pen testing and when it’s needed. “A pen test is a technical assessment of the vulnerabilities of a server, but it needs the business to tell you which server is most important. Pen testing without context, without proper scoping and without regular re-testing has little value,” he said.

Steps to do pen testing right

Some organisations feel they need to conduct a pen test because they have to comply with regulations like PCI, or to satisfy auditors, or because the board has asked for it. They’re often the worst places to start. To do it right, a business should:

  • Dedicate appropriate budget and time to the test
  • Carry out a proper scoping exercise first
  • Set proper engagement parameters
  • Run it regularly – preferably quarterly and more than just once a year
  • Use pen testing to check new systems before they go into production.

Absent those key elements, the test will not fail as such, but the approach from the start is just to tick a box. That’s why a one-off test will tell you little about how secure a system is. “A pen test is only a point-in-time assessment of a particular system, and there are ways to game the test. We have done pen tests where a client told us ‘these systems are out of scope’ – but they would be in scope for a criminal,” said Brian.

Prioritising business risks

The reason for running a pen test before systems go into production is that criminals may target them once they are live. It’s especially important if the new system will be critical to the business. “The value of doing a good pen test within context of the business, is that it will identify vulnerabilities and issues that the organisation can prioritise based on the business impact,” said Brian.

Pen testing, though valuable, is only one element of good security. “Unfortunately, many people think that if they run a pen test against their website, and it finds nothing, therefore their security is OK,” Brian said. “Just because you have car insurance doesn’t mean you won’t have an accident. There are many other factors that come into play: road conditions, other drivers on the road, confidence and experience of the driver.”

Brian warned against the risk of using pen testing as a replacement for a comprehensive security programme. If organisations have limited budget, spending it on a pen test arguably won’t make them any more secure. “Just doing it once a year to keep an auditor happy is not the best approach. It’s not a replacement for a good security programme,” he said.

The post Pen testing: why do you need it, and five steps to doing it right appeared first on BH Consulting.

By

Meeting the security skills gap (hint: don’t exclude half the potential workforce)

Getting skilled people into cybersecurity roles continues to be a challenge. In a Ponemon survey from earlier this year, security leaders said their biggest security concern for the coming year was a talent gap. Commenting at the time, Brian Honan wrote in the SANS newsletter that the best way to tackle a skills shortage is to provide effective training and support to existing staff to better enable them. “We need to look outside our traditional tech fields to recruit people with the aptitude for security. The technical skills can always be taught to a willing learner,” he said.

In fact, Lance Spitzner of SANS Institute recently published a piece encouraging people from non-technical backgrounds to become cybersecurity professionals. “In many cases having a non-technical background can actually be an advantage,” he argued.

Soft skills

Spitzner added: “A growing challenge we are facing in cybersecurity is we have a growing number of highly technical people, but often they don’t have the soft skills needed to interact with people outside their world, such as the ability to communicate to business leaders about the impact their work is having or working with or partnering with other departments throughout their organisation.”

The UK Government recently took an interesting approach to addressing the need for security skills development. Its £20 million ‘Cyber Discovery’ programme targets teen schoolgoers using gamification. It hopes this will translate to them taking an interest in the subject and will help uncover previously untapped talent.

Events of the past week remind us to ask if the industry is doing enough to attract all possible candidates. OurSA is a pop-up event that took place alongside security’s mecca, RSA Conference 2018 in San Francisco, last week. OurSA came about in just two months, after a backlash against RSA’s almost exclusively male speaker lineup. Karlin Lillington wrote in the Irish Times that the security industry remains overwhelmingly male-dominated. Just 11 per cent of the labour force are women.

While the poor optics of male-dominated security events don’t help, there are positive examples of female participation in security. Our own Neha Thethi from BH Consulting contributed to an article on Helpnet Security last year, looking at the experiences of women working in the cybersecurity industry. Jane Frankland, an entrepreneur and a CISO advisor, has written a book titled ‘InSecurity: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe’.

Strength through diversity

Last year’s ‘Women in Cybersecurityreport argued that diversity of experience as well as gender can strengthen security teams. Fewer than half of the female infosecurity professionals have backgrounds in IT or computer science.

The report was based on interviews with 300 female IT security professionals. More than one third of them had been working in the industry for more than 10 years. Respondents came from a wide variety of backgrounds including psychology, sales, art, compliance and internal audit.

Report author and Cobalt vice president Caroline Wong told Infosecurity Magazine: “Diverse teams have better results, plain and simple. In an industry with a major talent shortage, it’s critical that hiring managers be very engaged in the hiring process and thoughtful about exactly what types of skills are needed for each particular role.”

The post Meeting the security skills gap (hint: don’t exclude half the potential workforce) appeared first on BH Consulting.