Penetration Testing: Going Beyond Compliance Requirements 

Regulatory and compliance frameworks such as PCI DSS, FedRAMP, NIST, and HITRUST often require organizations to conduct penetration testing to achieve compliance. Penetration tests are typically conducted annually and may be limited in scope and depth, depending on the requirements of the framework and the organization’s specific circumstances. These tests tend to be point-in-time assessments and may not involve the use of system privileges, which can limit the scope and effectiveness of the testing. However, they are still important for identifying vulnerabilities and ensuring compliance with regulatory and compliance requirements.

Companies have been doing compliance-based penetration testing for years. Software and systems get patched as a result, but still, systems are comprised. Even with compliance-based penetration testing and software patching, systems and companies can still be the victim of a cyber incident for several reasons:

New Vulnerabilities

New vulnerabilities are constantly being discovered in software and systems, even those that have been patched. Compliance-based testing may not detect these new vulnerabilities, and companies may not have time to patch them before they are exploited by attackers.

Lack of Patching

Any risks, even those considered low-level, can be exploited if they are not patched.

Human Error

These errors, such as misconfigurations, weak passwords, or social engineering attacks, can create vulnerabilities that compliance-based testing may not detect.

Lack of Ongoing Testing

Compliance-based testing is typically conducted on a periodic basis, such as annually or quarterly. However, security risks and vulnerabilities can change rapidly, and ongoing testing is needed to keep up with these changes.

Over-reliance on Compliance

Companies may become too focused on compliance-based testing and overlook other important security measures, such as threat modeling or regular vulnerability scanning.

To address these issues, companies need to adopt a holistic approach to security that includes ongoing testing, employee training, and a focus on addressing the root causes of vulnerabilities. Compliance-based penetration testing should be viewed as just one component of an overall security program

Regulatory or compliance-based penetration tests and vulnerability scans have limitations and may not fully replicate real-world attacks. Attackers often employ more advanced tactics, techniques, and procedures (TTPs) to compromise systems or networks, such as social engineering, zero-day exploits, and targeted attacks. Therefore, it is important for organizations to supplement compliance-based testing with other security measures, such as ongoing vulnerability management, threat intelligence, and real-world attack simulations, to enhance their overall security posture and be better prepared to defend against real-world threats. 

In today’s world, the likelihood of attempted credential theft is a near certainty.  Many corporations have implemented training programs designed to help employees spot phishing and other attempts to steal their credentials. It’s estimated these training programs result in end users being 80% less likely to fall for a phishing attempt. Despite training that appears to be effective, phishing and social engineering attacks continue to present real threats. So why is this training along with contextual analysis, advanced penetration testing, and network protection not sufficient to stop attacks?  This is where human frailties tend to play. People are still going to click on things they shouldn’t. In assessments of large companies, we have noted typically between 10%-20% of phishing attacks are successful, resulting in substantial vulnerabilities given their large staff size.

Another common point of network compromise is third-party connections into your network. Third-party connections tend to bypass your boundary firewalls, so even your initial perceived points of exploitation, such as the boundary firewalls are not fully understood or evaluated.  Most companies don’t know how their third-party relationships are opening them up to unnecessary exposure.

A Stronger Penetration Testing Strategy

So how do we test and evaluate a customer’s environment given we know they will be compromised? A real-world assessment looking to mirror the outcomes of attacks using varying multiple attack vectors is typically the best method to assess existing defenses.  Internal penetration testing combined with simulated stolen credentials against and using various internal systems as initial pivot points is a more realistic test of what is encountered in reality.  This is an example of a red team test. Red teaming involves simulating a full-scale attack by emulating the tactics, techniques, and procedures of real attackers, with the goal of identifying weaknesses in an organization’s defenses. Red teams are very complex. These tests tend to be costly and focus more on the actual initial attack vector versus where the issues really exist, and less on the identification of security behavior issues versus more on external defenses. That is the wrong focus, as the initial attack vector will always show that people are exploitable. So rather than focus on identifying and defending against behavior-based attacks from the inside out;  this more important assessment type should take the testing to the next level, by not only including existing penetration testing but identifying normal day-to-day user commands in which common network tasks are a low-level attack.  Incorporating this more advanced assessment type takes penetration testing to the next level by providing a more realistic simulation of a real-world attack. This testing is often conducted in conjunction with penetration testing, vulnerability assessments, and other security measures to provide a comprehensive view of an organization’s security posture. This type of testing can help organizations better understand their exposure to real-world attacks and identify areas for improvement in their security defenses. However, it can be more expensive and resource-intensive than compliance-based testing and should be tailored to the specific needs and risk profile of the organization.

When these tests are executed, they will focus on your identification of and abilities to defend against such an attack already in play. Real-world scenarios require combining elements of static penetration tests, insider malware attacks, and zero-day attacks with a simulation of both compromised user credentials and or internal compromised systems. Both the compromised credentials used in this scenario and systems are not required to have any significant level of privilege in doing this assessment, simulating most real-world scenarios. The key benefit of this enhanced security testing is to test your internal defenses, behavior monitoring, and intrusion detection systems. Those secondary evaluations can also be used for other regulatory requirements at the same time. 

This does not mean static compliance-driven penetration testing is dead. However, it does suggest that relying solely on compliance-driven testing may not be sufficient to identify all real security risks and vulnerabilities. It is important to supplement compliance-driven testing with other testing methods and strategies to ensure comprehensive security testing, such as on-demand penetration testing as a service. Look at penetration testing as a service that you can develop and design to meet your regulatory and compliance requirements needs, as well as your internal real-world enhanced simulated testing needs. Therefore, it is not a matter of one type of testing being dead, but rather a recognition that different types of testing can be valuable in different situations.

CompliancePoint offers a full suite of cybersecurity services, including vulnerability and penetration testing. Contact us at connect@compliancepoint.com to learn more about how we can help your organization mitigate cybersecurity risk.