The world of Cybersecurity is a very broad one, and encompasses
many areas of technologies. If somebody
tells you that they are a master of it all, you can tell for sure that they are
lying through their teeth.
The same thing holds true abut the technical writing aspect
of Cybersecurity. Anybody can claim that
they can write anything, but it takes a great talent to do that.
While I have written on quite a broad range of topics, one of
the areas that I love to write on and am very passionate about is Pen
Testing. I have studied and reviewed this
topic quite a bit these last few years, and in fact, it is a huge chapter in
one my books. I am by no means a practitioner
into this art, but I do love writing about it.
So with this in mind, this is the topic for today’s article. A lot of you might be asking, “Well, what is
Penetration Testing”? In very simple
terms, this is where a group of ethical hackers take the mind of a
Cyberattacker, and break down your walls of defenses from the external
environment going inwards to see where all of your vulnerabilities and gaps exist
at.
From here, a report or security brief is then compiled for the
client as to what was discovered, as well as solutions that can be undertaken to
remediate, or fix them. The size of a
Pen Testing team can be just a few individuals or even as large as 10-12 people,
depending upon the scope of the work that needs to be done and how large your organization
is.
Typically a Pen Testing team is broken down into three sub
teams:
*The Red Team: As
just mentioned, these are the ethical hackers;
*The Blue Team: These
are the team members and are deemed to be the “good guys”. They work closely with the IT Security team
in order to thwart off the attacks launched by the Red Team.
*The Purple Team: This is composed of members of both the Red
Team and the Blue Team, and this these group of people keep a system of checks and
balances of the other two teams.
We will look at the last two teams in further detail in
future articles, but on this one, the focus will be on the Red Team. As both a company that is creating it and the
client that will be hiring them, there are a number of key factors that you
need to take into consideration, and are as follows:
1)
Assemble the team:
You will of course want to hire the
best of the best. The thing about Pen Testing
is that it can be done remotely from anywhere in the world, at any time set
forth by the client. But, you want to
select a group of people who not only have a lot of experience, but also have strong
coding skills (as there could possibly be a lot of scripting that will need to
be done), and have worked with the latest tools, such as Nessus, Metasploit,
etc. Although it is not a requirement,
you should also give serious consideration to those candidates that have the Certified
Ethical Hacker (“CEH”) cert.
2)
Utilize a framework:
While your Red Team will know more
or less exactly what to do from the get go based upon their level of experience,
it is important to first adopt a framework to keep your work organized as well
as prioritized. Thus, you need to pick a
certain type of methodology to help your Red Team humming in a seamless fashion. Some of the most popular frameworks are those
found in OWASP, NIST, etc. The links for
these are respectively as follows:
https://owasp.org/www-project-top-ten/
Also by adopting one of these frameworks,
it will give a good image to your customer, as you will be using well established
standards and protocols.
3)
Decide what will be ethically hacked:
Obviously, your Red Team will want
to get through each and every digital asset.
But keep in mind that there are resource limitations here. You can only go as long as your team still
remains focused, and the budget that your client has set forth. Therefore, in consultation with the client,
you should strategically pick and choose those targets that are most vulnerable. But this can only be revealed by a Risk
Assessment. Keep in mind also that it is
not just the digital assets you will be going after. If there is the need, it is quite likely that
you will also be launching Social Engineering attacks against the employees of
your client as well.
4)
Keep track of the work that is being done:
As you check off all of the stuff that
your Red Team is hacking through, this needs to be recorded in detail as well
as the possible solutions that can be implemented to fix the issues. Not only will you need this information and
data to compile the final report for your client, but you will also need to
have an exhaustive record in case you are ever audited, for example by the CCPA
or the GDPR.
5)
Communications is key:
This is one of the most important pieces
of any Pen Testing exercise, and a siloed approach must be avoided at all
costs. For example, the Red Team needs
to communicate clearly with the Blue Team, and vice versa. But in the end, it is really the job of the
Purple Team to make sure that all of lines of communications remain open and
transparent. In terms of your client,
you need to explain what is going on to them in clear, layman terms without using
any fancy lingo or technojargon. This is
especially important when you compile that final report for them.
My Thoughts On This:
Keep in mind that the bulk of this article was written with the
business owner in mind that offers Pen Testing services. But for you the client, there are a number of
steps that you need to take into consideration as well, which are as follows:
*Always hire an extremely reliable Pen Testing company. They should have been around for a long time,
and always ask for references!!!
*As mentioned, numerous times, the Red Team will be giving
you a final report. Make sure you
understand what they have written, and if you cannot, always ask questions, or
have them keep rewriting the final report until you can finally understand it.
*This report will also contain a list of solutions that you should
take to remediate the problems found.
Typically, the Red Team will not implement these, but rather, they will
refer you to an MSSP to get this part of the job done. In this regard, and for considerations fo
your budget, it might even be wiser to hire an MSSP that not only has the Red Team
to do the Pen Testing, but they can also work with you to implement the needed
controls.
*Try to hire locally.
Avoid hiring Red Teams that are based overseas, especially in those geographic
regions where there are nation state threat actors. Better yet, you should have direct, face to
face contact of the Red Team that you will be working with.
*Always make sure that that a contract will be signed, laying
out the roles and responsibilities of all that is going to happen. Also make sure that your Red Team is insured,
in case something goes unexpectedly wrong.
Finally, keep in mind that Pen Testing is really about the
only way to go to see truly what is going in your IT and Network Infrastructure. With more than 50% of all businesses being
Cyberattacked each week, this is a risk that you cannot afford to take.
No comments:
Post a Comment