I had to deliver a presentation recently, so thought I would pop together my thoughts here. It was about ensuring that any investment in penetration testing my wisely spent.
If we want the business to use pen-testing. We need to know what it is, they wish to test. For instance:
- What’s Vulnerable (our information assets)
- Where it is vulnerable (our LLD, source code etc.)
- How it is vulnerable (Our risk register, validated with penetration testing)
- Who it is vulnerable to (our threat actors)
- What it would cost us, if it was exploited (our business impacts)
Though we also need to understand and pop a value on the information. This doesn’t need to be monetary, though money is a currency readily understood by all.
- Before looking to protect your information – know what you need to secure.
- Ensure that you (the business) knows their information assets and their value to the business.
- Ensure that the Impact scores for the loss of C, I and A for each your Information Assets is understood.
- Ensure that the focus of penetration testing is around the high impact C,I and A assets.
We also need to ensure that the business is bought in to what we want to achieve. If we are using numbers to define impact – the business needs to adopt those impact values across the WHOLE business.
The senior person responsible for risk within the organisation would sign this off. These risk metrics would then be used by the whole business.
If we want to secure our information, we need to secure the systems on which the information resides (or at least secure part of that network). For us to do this, we need to:
- Know what the network ‘should’ look like (through LLD).
- Ensure that the reality matches the documentation (through enumeration / and validating LLD).
We also need to know who might be trying to target us and whether the adversaries are any good. Is the threat internal or external.
For penetration testing to be truly effective you need to ensure that:
- There is an element of maturity with regards to information risk though also information governance
- There is a security culture in place with people encouraged to operate good security practise.
- There is an understanding of what the information assets are and what they are worth
- You need to know what the network looks like,
- you know what your threats are
- You need to have the buy in and resources of the business to remediate issues as they arise (or need fixing)
- You need to ensure that the business impacts are clearly defined and adopted by the whole business.
The Security Policy Framework is a set of standards for any HMG information assets, though some of the guidance could equally apply to any network:
Risk management is key and should be driven from Board level. Assessments will identify potential threats, vulnerabilities and appropriate controls to reduce the risks to people, information and infrastructure to an acceptable level.
With regards to information it says:
- Mechanisms and processes to ensure assets are properly classified and appropriately protected.
- Confidence that security controls are effective and that systems and services can protect the information they carry. There will be an overarching programme of information assurance driven by the Board.
So, in summary Penetration testing is a tool to be used in conjunction with other tools. For instance:
Information Management. Knowing your assets and the value to the business
Risk Management. Knowing the risks associated with your information assets
Information Governance. Ensuring that senior managers are aware of big risks to the organisation.
Technical Design and Ownership. Ensure that the design and configuration of the network is understood, baselined, validated and updated.
Security Ownership. Ensure that you have the relevant support for securing your networks
A key note is. Ensure that you only secure the assets that need to be secured – apply proportionality to ensure both Value for Money, though also resource management