Getting Started With Security Assessments
Many times we have organizations come to us that have never had security assessments or penetration testing performed before. Maybe they have a new compliance requirement that is pushing them to get some testing done, or maybe they keep hearing more about the benefits of penetration testing and feel they need to jump in and get started. Whatever the case may be, taking the first step and reaching out to understand what your options are and get some pricing for budgetary purposes is an important first step!
But it can be overwhelming to hear about the different types of testing and try to make an informed decision about what is right for your organization and your budget. The different types of strategic assessments and penetration tests can have very different benefits to your organization, and may be more beneficial to more immature security programs vs. more mature security programs and vice versa. These are all important details to understand when trying to make a decision about where to start and build out an informed roadmap that incorporates third-party security testing.
In this blog, we’re going to take a look at some good places to start for immature organizations just getting started with security assessments and work our way down to some more advanced testing that organizations can check out once they have handle on the basics. Performing testing regularly is important, but security assessments can also help you understand different areas of risk within your organization and push certain security initiatives as you grow, highlighting the risks from a third-party point of view to help management better understand.
Initial Security Assessments
If you’ve never had any penetration testing or strategic consulting performed, it can be really tough to know where to start. Let’s start off talking about a couple assessments that are considered as a good baseline to better understanding where you’re at from a security perspective:
- External Penetration Test – From a tactical perspective, this is where almost every organization will start. This type of assessment is designed to test your security from outside your organization, emulating an attacker trying to break in from the Internet. It can help you know if there is anything out there that should keep you up at night or makes you a particularly high value target for an attacker. It’s also one of the most affordable assessments (~3k for a small external perimeter) and is required by many compliance standards.
- Best Practice Gap Analysis – From a more strategic level, if you’re not sure where you’re at from an organizational security program maturity level, this may be a great place to start as well. This is an interview-driven assessment where we sit down with your security team, IT team, development team, and anyone else related to security processes to understand what controls are in place today, what documentation is there to support those controls, and what improvements can be made to these controls in the future to increase your overall security posture. This type of assessment starts around 6k for most small-to-medium-sized organizations and will result in a roadmap that can help inform future decisions and spending on security to get the most bang-for-the-buck out of your program.
Continuing to Improve Security
Maybe you’ve been doing external penetration testing for a few years and you have a good handle on your perimeter, but you’re not sure how to continue to improve? Where do you go next to understand security risk at a broader level? There are a lot of answers to that question depending on your business but here are some ideas:
- Internal Penetration Test – Once you’ve got a good handle on our external perimeter, it’s really critical that you don’t stop there. An internal penetration test helps you understand security within your network and helps quantify the risk should an attacker get an initial foothold or there is a malicious insider on your network. Slightly more expensive than an external penetration test given the additional time required to assess all of your internal systems and attack vectors, an internal penetration test starts from around 5k for most organizations. You’ll want to prepared for a lot more findings as compared to an external pen, but these are things that will greatly improve your organizational security in the long run.
- Web Application Penetration Test – Once you’ve understood your risk at the network-layer, you’ll want to focus your efforts on understanding your risk at the application-layer, as well. This type of test will assess both the unauthenticated and authenticated portions of a target web application to identify weaknesses that could allow unauthorized access, lateral movement (one user getting another user’s data), or privilege escalation, just to name a few. Most organizations start by assessing their most critical applications, from a business and/or data perspective. Pricing for this kind of assessment can greatly vary, so check out our blog that addresses that topic for a better understanding.
- API Penetration Test – Similar to a web application penetration test, an API penetration test focuses on the risk associated with an API, if your organization has any. You’ll probably want to start by focusing on any public APIs your organization develops in-house and exposes to the Internet, but this type of testing can also identify weaknesses in private APIs. Pricing is similar to that of a web application penetration test, but based on the number of endpoints/functions associated with each API. We’ll need thorough API documentation in order to complete this assessment, so make sure you’ve got OpenAPI (aka Swagger), WSDL, or similar definitions prepared prior to this test to get the most return on your investment.
- Social Engineering Assessment – All of the assessments we’ve talked about this far are looking at technical assets from different perspectives, but a social engineering engagement focuses on your employees. During this type of engagement, we’ll use a combination of phishing, spear-phishing, and vishing (phone-based attacks) to understand the level of risk your employees represent to the organization. No matter how many security controls you have in place and how strong your external perimeter is, all it takes is one employee clicking a link to provide an attacker immediate access to your internal network. Many times, this is the primary way that attackers will attempt to gain access to a network because it’s the easiest and most efficient for them. This type of assessment is priced based off the sample size of employees being tested, but starts at around 3k.
- Compliance-based Gap Analysis – Finally, moving back to more strategic assessments, more advanced iterations of a Gap Analysis can be conducted. This type of assessment would be based on the business and compliance needs of the organization, focusing on how compliance requirements are being met and developing a roadmap to continue to improve both level of compliance and security. For retail organizations this is often the Payment Card Industry (PCI), healthcare organizations have HIPAA, and government organizations will often be required to use some variant of NIST. Whatever compliance requirements you face, we can help address those needs while keeping security as your primary focus, even combining compliance standards and assessing both where needed.
Mature Security Programs
Once you’ve got a handle on security in your organization, it may be time to look at more specific areas of your security posture to ensure nothing is being missed. A lot of these assessments aren’t something you’d necessarily do every year, but maybe you want to take at look at a particular area of your organization where you’ve had some security concerns recently or you’ve implemented a new security control and you want to understand its effectiveness. Here are some ideas:
- Physical Penetration Test
- Firewall Audit
- Host Compliance Audit
- Password Audit
- Formal Risk Assessment
- Red Team Engagement
- Purple Team Engagement