Top Mistakes CISOs Make When it Comes to Penetration Testing
As cybersecurity continues to become more of a focus in higher education institutions, we have seen a lot of CISOs (Chief Information Security Officer) embrace penetration testing. There is a lot they get right about penetration testing. However, there are also some common mistakes. In this blog, we share a few of the top mistakes CISOs make when it comes to penetration testing and how your institution can avoid them.
Mistake #1 – Viewing a Penetration Test as a Reflection of Job Performance
The number one mistake we see is CISOs who believe that a penetration test is a direct reflection of their job performance. When this happens it severely limits the effectiveness of the penetration test. In reality, a penetration test is a helpful tool. It can help evaluate the effectiveness of security controls in place and to identify any gaps that may exist.
For example, we have encountered some CISOs who will actively try to block or remediate as we are testing. Or, they will put us in an isolated network which doesn’t emulate the risk we are trying to evaluate. Moreover, when it is time to go over the results, the CISO can become defensive. And, say things like, “Well if this was a real attack, we would have blocked you.” While this may very well be true, getting defensive sends the wrong message. It implies all the findings are invalid or insignificant. This attitude can have a devastating impact on your institution’s security culture.
Penetration Test is a Tool
To avoid this mistake, the best approach is a conversation with the CISO to explain that a penetration test is a tool. And, being defensive can hamper the results of the test and, ultimately, hurt the institution’s security posture. The conversation should note the collaborative nature of a penetration test. Additionally, it may help to view a penetration test as an objective evaluation of security controls. Not the performance of a role. Most likely CISO, with unlimited budget and organizational buy in, would have every tool at their disposal. They would have enough resources deployed to lock down the network. Unfortunately, in reality, every organization has finite resources. A penetration test can help prioritize limited resources. Ultimately ensuring a better return-on-investment security-wise with the tools and resources you do have.
Mistake #2 – Limiting the Scope
Another top mistake we see CISOs make is limiting the scope of a test unnecessarily. Limiting the scope prevents a more realistic evaluation and holistic view of the risks. Frequently, this is due to budget constraints. However, it is important to understand that if we are performing a security evaluation on only a subset of the organization, the results will be limited and only provide part of the picture. For example, if you were performing a physical security audit of a bank branch and limited the auditor to just the lobby, the audit won’t do you much good if the backdoor is propped open all day. The same concept applies to penetration testing.
Similarly, when a CISO reaches out for an external penetration test, they should realize that even if the penetration testers were not able to gain access via the network perimeter, a real threat actor would not be under these same constraints. They could try to leverage social engineering, the wireless network from the parking lot, or even physically breaking in to obtain a foothold on the network.
Many times we also encounter CISOs who “know their users are going to fall for social engineering, so why bother.” While this may be true, it limits their ability to quantify that risk. Further, this thinking prohibits them from conveying the potential impact to organizational stakeholders, testing the effectiveness of technical controls that are in place, or evaluating current security awareness training.
Understanding the Scope of the Penetration Test
To avoid this mistake, an understanding of the scope is very important. A CISO will always have to balance their budget with their security objectives. This means sometimes not everything can be tested. That is fine, as long as the CISO has a good understanding of what was in scope and what residual risk is still present due to portions not being assessed. It is great to walk away from an external penetration test feeling like your network perimeter is relatively secure. However, it is important to keep in mind the other risks that may be present. Institutions should evaluate what the most likely risks are, and leverage penetration tests to quantify those risks. For example, if the primary risk is a student accessing information systems to change their grade, that would be scoped much differently than the risk of a staff clicking a link they shouldn’t have, leading to ransomware.
Mistake #3 – Just Checking a Box
Another top mistake we see is when institutions use penetration testing to check a compliance box. They are required to have penetration tests performed to meet a compliance requirement or as part of their cyber insurance policy. To avoid this mistake, the CISO needs to understand that the penetration test is much more than meeting a compliance requirement. It is used to evaluate security, find any gaps, test the effectiveness of security tools, and establishing a system to test security in the future.
Avoiding Top Cybersecurity Mistakes
About the Author
Matt Miller is Director of Penetration Testing at SIG. He currently has his PCI QSA, CISSP, OSCP, C|EH, GSEC, GCIH, and CISA certifications. You can find Matt on Twitter @InfoSecMatthew.