Saturday, June 24, 2023

Automatic Vs. Autonomous Vs. Human Penetration Testing: Which Is Best???

 


Just last night, I finished and submitted my final manuscript for my 12th book.  It is all about Ransomware and Penetration Testing.  We all know to varying degrees how dangerous Ransomware can be, but believe it or not, it has been around for the last 30 years or so. 

In fact, the first Ransomware attack was delivered using a floppy disk.  But this threat variant has evolved into something that has become extremely dangerous and costly.

For example, the Cyberattacker of today is not just locking up your computer and encrypting your files.  Rather, they are now threatening extortion like style attacks, where they will expose your PII datasets if you don’t pay up. 

Or worst yet, they can even sell it on the Dark Web.  But as I said stated in the book to be that we all are at risk of becoming a victim of Ransomware, the key is in learning how to mitigate that risk from actually happening.

One of the best ways to do this is through what is known as a Penetration Test.  This is where you hire a team of individuals, or even a company that specializes in doing this, and they literally try to break down your walls of defense.  In other words, they try to take the mindset of an actual Cyberattacker, and try to launch and throw everything and anything they have towards your IT and Network Infrastructures. 

You may be asking at this point why go through all of this?  Well, this is about the best way to truly find out where your weaknesses and vulnerabilities are.  In many ways, its like a cardiologist conducting an angiogram on your heart. 

They will not truly know where the blockages are until your heart is illuminated with the special dye.  Then from there, the course of proper medical treatment can then be followed.

The same thing with a Penetration Test.  A tester will not know what kinds of remediations and controls that you need to put into place to cover your gaps until they do the needed testing.  But it is very important to keep in mind that this all what is known as “Ethical Hacking”. 

In other words, the Penetration Testing team not only needs to you have your explicit permission to do all of this, but you and they have to sign a contract.  And, if the Penetration Testing team feels that they need to do more tests, then they will have to explain the objectives and also ask for written permission in that regard.

Personally I have never done a Penetration Test, but I have heard stories about it form people I know that actually do them.  But this morning, I came across a very interesting article from an individual that does this kind of work, and he offered three tips of free advice on how to keep your business safe.  Here they are:

1)     Adopt the Zero Trust Framework:

This is one of the biggest buzzwords in the Cyber industry today, and the basic mantra of this is to “Never Trust, Always Verify”.  What it all comes down to is that no employee in your business should be trusted when it comes to access of shared resources or PII datasets.  This even transcends down to your employees that have been with you the longest.  Anytime that anybody wants access to something, they have to be verified.  But the key here is that this happen with at least three or more different authentication mechanisms.  This include a password, a PIN number, an RSA token, or even Biometric.  Another part of the Zero Trust Framework is to break out your IT and Network Infrastructures into different zones or segments, with their own layer of defense, using Multifactor Authentication.  So essentially you are breaking away from the traditional Perimeter Defense model, which is so easy for a Cyberattacker to break into these days.  Although this is all heavily preached, it is rarely practiced in the real world.  According to a recent survey to the online magazine called “CIO”, only 25% of organizations have actually deployed this new approach.  More information about this can be seen at the link below:

https://www.cio.com/article/230351/network-segmentation-as-security-imperative.htm

They key takeaway here is that you should have the right mix of controls in place, both from a logical and physical perspective.

2)     Keep your IT/Network Infrastructure Modern:

By this, I don’t mean that you should buy everything out there that has come out.  But keep your systems and devices all updated with the latest patches and upgrades.  This includes firmware.  Whenever you get that “End of Life” notice, it is time to start thinking of replacing your hardware.  Most vendors are pretty good at giving you advanced notice about all of this, and I know for a fact that Microsoft gives customers at least 12 months’ notice before anything comes this extent.  But even after this, there is still a usually a small grace period in which full support is still provided.  The best solution here is to use the Cloud, like Azure.  With this, you don’t even have to be concerned with applications running out of a service life.  Microsoft takes care of all of that for you.

3)     Monitor your logs:

Probably the best way to find out if anything is awry is to keep a constant check on the files that are outputted by your network security devices.  Now, this may sound like a horrible and tedious chore to do, but you can automate this entire process, by using both AI and ML.  For example, they can filter through all of the logs, and alert you and your IT Security for any abnormal behavior in network traffic patterns.  Also, they will be able to filter out all of the false positives that come in.  That way your team can focus on what is for real and legitimate.

My Thoughts On This:

There are also many new buzzwords that are coming out in Penetration Testing, and they are “Automatic” and “Autonomous”.  Many Cyber vendors of today are trying to deploy software packages that can conduct Penetration Testing on their own, proclaiming the fact that human intervention is not needed.  Now, I have to put a disclaimer here. 

I have not personally tried out these tools myself, but if I were having a Penetration Test, I would still want an actual, real live human being doing it.

I am all for automaton for certain parts of a Penetration Test, but you cannot rely on just that solely.  You still need that human presence to walk you through what was discovered, and what the remediations are to fill up your gaps and vulnerabilities.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...