On occasion, we get clients who are concerned about some of the stereotypes that they may read about or hear when it comes to a penetration test. While a penetration test may be us attacking your infrastructure, we are not your adversaries. Your company made the security-mature decision of soliciting security testing, and it is important to us that we help secure your environments in a way that concerns full-spectrum security challenges. In this blog, we’ll talk about some of those concerns.
They Say It’s Cheating
We say it is value-added. Sure, an attacker may have to spend weeks or months slowly grinding away before possibly gaining access to valid account credentials through phishing or password spraying. But when you buy a penetration test from any company, you are trading your money for testing time. We prioritize our time based on desired outcomes and objectives within the project scope. Many objectives, such as testing for Multi-Factor Authentication usage and quality, require credentials, so does checking for account segmentation, information segmentation, and weak privilege management.
We don’t have weeks or months to try to gain access. We’ve been paid for a few days of work and have to do more than simply attack the login panel.
They Say Attackers Don’t Have Credentials
Sure, an external attacker may not have credentials and would have to find a way to obtain them through a primary attack, such as social engineering or password spraying. That said, Matt in Accounting has an account and access to the company’s books. Matt is pretty upset that you’ve chosen to rescind the work-from-home policy after he and his family decided to buy a new home in another city.
Matt would be an example of an “Insider Threat.” The Cybersecurity & Infrastructure Security Agency (CISA) provides that “Insider threats present a complex and dynamic risk affecting the public and private domains of all critical infrastructure sectors.”
They Say It Will Get Them in Trouble
Sure, while insufficient security policies may result in discipline, the real finger pointing starts when a company lands in the news, or worse, civil or criminal court. Just saying your company has had a penetration test isn’t doing enough due diligence. The pentest report will outline clearly what expectations were given with the assessment. If your organization has chosen not to provide credentials for testing, that will be noted in the report. At TCM Security, we provide a statement in our executive summaries that cover this. That statement always recommends that you conduct additional, credentialed testing because there could be additional attack pathways that require credentials.
They Say It Doesn’t Align with Testing Goals
A goal that does the bare minimum may not be the best bar to set for the organization. We can agree that when your organization regularly engages a security company to perform both authenticated and unauthenticated testing, conducting an unauthenticated engagement would be beneficial. This is good defense in depth and helps with the overall maturity of your organization. But if the goal is to always conduct unauthenticated testing, your organization is at risk. We recommend for every unauthenticated assessment you conduct, that another one with credentialed access is provided.
What’s the Right Answer
Good policymaking begins with eliminating stereotypes and being objective about organizational goals. Your company is hiring TCM Security not only to test for weaknesses, but also consult on security best practices and better understand the security vulnerability landscape. We are here to help you craft strong testing objectives and goals, and to help navigate how to communicate vulnerabilities in order to ensure remediation.
Let us help you with navigating your next security assessment. Contact us at info@tcm-sec.com to get started or fill out the form below.
About the Author
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.