At a time when government networks are under an ever-intensifying and persistent wave of cyber attacks, federal managers need to take a proactive, enterprise-wide approach to protecting their systems. That should include more penetration testing.
In the world of cyberattacks, there are no false positives. Either the attacker is successful at breaching a system or not.
Mark Hatton, President and CEO, Core Security Technologies
“The best defense is a good offense,” said Don Goff, chief executive officer of CSTAR Systems, a consulting firm that focuses on cybersecurity, recently at GovSec, a government security conference and expo in Washington, D.C. “Cybersecurity has moved from building a little fortress around the data center to being an enterprise-wide situation that covers a whole range of media that is all interconnected by IP--that includes your phones, handhelds, thumb drives, laptops and all the rest of your portable media. The premise here is that [managers] have to be proactive rather than reactive because by the time that horse has gotten out of the barn it’s far too late.”
One increasingly critical component of a proactive security strategy is penetration testing, which mimics real-world cyber attacks to identify methods for circumventing the security features of an application, system or network. Vulnerability scanning is not enough, according to Mark Hatton, president and CEO of Core Security Technologies, which offers enterprise security testing tools and services and counts more than 60 civilian and Defense agency customers.
“There is simply no way to know whether or not a vulnerability provides an actual risk to your infrastructure without exploiting it,” Hatton said. “And exploiting it is more than just seeing if an exploit can run successfully against a vulnerability. It’s understanding the depth of risk that the vulnerability actually allows for inside that agency.”
Pentetration testing is key
Penetration testing is becoming more imperative as mobile computing devices and Web applications proliferate throughout government networks, creating new, multiple threat surfaces. “A lot of attacks take a multi-vector approach,” Hatton said. “They don’t take a single, straight path. For example, your mobile device is connected to a Web app connected to a network. [An attacker] who breaches the mobile device has created an access point into your network. It’s a zig-zag approach into an agency’s infrastructure.”
As a result, a simple vulnerability scan might show a network to be protected when threat surfaces connected to the network may not be.
In addition, without replicating real-world attacks against an enterprise, you’re in “the world of probability,” because simply scanning for vulnerabilities will yield a large amount of data that may be 30 to 40 percent false positive, Hatton said.
“In the world of cyber attacks, there are no false positives,” he said. “Either the attacker is successful at breaching a system or not. If we’re spending 30 to 40 percent of our time sifting through data that’s inaccurate, we are constantly behind the potential attacker. That’s why penetration testing in particular has become the cornerstone of validating vulnerabilities.”
The National Institute of Standards and Technology’s Special Publication 800-53, which recommends security controls for federal information systems, promotes penetration testing as the preferred technique for auditing security controls under the Federal Information Systems Management Act, with which all agencies must comply. NIST’s SP 800-15, which is a technical guide to information security assessment, also furnishes guidance on penetration testing and other assessment tools and techniques.
According to NIST’s SP 800-53A/Appendix G, an effective penetration testing program:
- Goes beyond vulnerability scanning to provide explicit and often dramatic proof of mission risks. It should also provide an indicator of the level of effort an adversary would need to expend in order to cause harm to the organization’s operations and assets
- Approaches the information system as an adversary would, considering vulnerabilities, incorrect system configurations, trust relationships between organizations and architectural weaknesses in the environment under test
- Thoroughly documents all activities performed during the test, including all exploited vulnerabilities and how those vulnerabilities were combined into attacks
- Produces a measurable risk level for a given attacker by using the amount of effort the team needed to expend in penetrating the information system as a indicator of the penetration resistance of the system
- Validates existing security controls, including risk mitigation mechanisms such as firewalls and intrusion detection systems
- Provides actionable results with information about possible remediation measures for the successful attacks performed in the test
“The argument that penetration testing is the most accurate view of potential risk to your infrastructure has been widely accepted,” Hatton said. “Five or six years ago, [it was thought] you would be crazy if you did this.”
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.