What happens when you do something over and over and over again?
Generally, you get better at it.
This certainly holds true when it comes to penetration testing and subsequent remediation efforts, however I have found the principle of repetition to be broadly applicable in the world of Cyber Security.
There is value in knowing that a certain system is secure at a certain point in time, but we operate in a digital world where everything is changing with immense speed. The threat landscape is constantly evolving, and the value of any point-in-time assurance decays rapidly.
Consider instead the alternative, where assertions about the security of a system are made on an ongoing basis.
A penetration test is a structured, authorized security exercise in which ethical security specialists simulate real-world attack techniques against our systems in a controlled environment.
At Veson, we partner with CYE Security to undertake penetration tests against all of our platforms every six months. CYE are exceptionally talented at what they do, and will often use combinations of obscure vulnerabilities to attempt privilege escalation, lateral movement or system compromise – mirroring the tactics sophisticated threat actors might use.
A typical penetration test plays out like a game of cat and mouse.
The Veson security team is watching very closely, reviewing our logs and monitoring systems for any indications of successful compromise. The penetration testers are treading as lightly as possible using the credentials we provide as they seek to blend in with our regular users. They know that a clumsy scan or the execution of a common hacking tool will get them caught immediately.
The game plays out over several weeks, with constant backchannel communication between the two groups. We share our observations in real-time, and the testers are often surprised by our deep level of visibility into their actions, or the tools we have at our disposal to parry their advance.
Veson benefits in a number of different ways from penetration testing. Firstly, we gain an opportunity for our security team to fine-tune their monitoring and threat detection capabilities in direct competition with a seasoned operator. Secondly, we learn about the types of attacks that threat actors might attempt. Finally, we receive a comprehensive report covering any detected issues, which are then systematically cataloged and scheduled for remediation.
Repeat.
Repetition is our friend. Every time we go through this cycle, life gets a little harder for the penetration testers. Vulnerabilities are closed, gaps are eliminated, attack chains that worked previously are rendered moot.
We know that our systems are secure, but that assurance decays rapidly. And so, the virtuous feedback cycle continues as we prepare for the next penetration test.
