SANS Critical Control 20: Penetration Tests and Red Team Exercises

As we have reached the end of this blog post series on SANS 20 Critical Controls, this one is definitely one of my favorites and the one where NopSec can add a lot of value. But before delving into the details, let’s give penetration testing a definition.

According to the SANS Critical Control # 20, Penetration testing involves mimicking the actions of computer attackers to identify vulnerabilities in a target organization, and exploiting them to determine what kind of access an attacker can gain. Penetration tests typically provide a deeper analysis of security flaws than a vulnerability assessment.

 

Penetration testing is not a replacement for vulnerability management.

Penetration testing is a monitoring control, which periodically checks the efficiency of the vulnerability management process. If vulnerability management is done right, penetration testing should turn out to be a “blank report”. Also, vulnerability management is a continuous control aimed at managing information assets, detecting and analyzing vulnerabilities, and prioritizing and applying fixes.

Red teaming is more comprehensive than penetration and aimed at testing the organization’s security emergency response procedures and preparedness. According to SANS: “The goals of red team exercises are to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels.”  Worth mentioning that red teaming exercises are a good fit for organizations with a high security maturity model.

Some of our customers also ask “How often do I have to perform a penetration test?” Our answer is as often as necessary for vulnerability scanning and the process of vulnerability management. For penetration testing – again a monitoring control – once or twice a year in highly regulated industries is enough.

I remember at the beginning of my career when I started doing penetration testing engagements, obtaining and exploiting targets using the so-called social engineering techniques was considered cheating. Nowadays, social engineering techniques are widely used in targeted attacks in the wild. Therefore social engineering should be included in an annual penetration test.

A great resource for the penetration testing standard can be found at the Penetration Testing Execution Standards website – http://www.pentest-standard.org/. The PTES provides a great roadmap to perform and evaluate penetration testing engagements, in terms of methodology, tools and techniques.

 

In terms of compliance, penetration testing engagements are a requirements for organizations that would like to be compliant with the following regulations: PCI standards – Standard 11.3, SOX, HIPAA, GLBA and other banking regulations.

NopSec has been performing manual penetration testing engagements for various asset classes, including external, internal, wireless, web and mobile applications, social engineering, VoIP, etc. since 2008.

In 2011, NopSec launched a vulnerability risk management software-as-a-service called Unified VRM, unifying the vulnerability management practice across different asset classes into one easy-to-use interface and process.

Important points about NopSec Unified VRM in regards to penetration testing:

  1. Unified VRM automates the process of vulnerability verification, prioritization and false positive elimination. NopSec stands behind every vulnerability that is pushed to the customer’s front-end. This means no need to perform extra analysis and work on hundreds of pages of a vulnerability report.
  2. Attackers and penetration testers perform their attacks across the enterprise assets including networks, web applications, and other attack vectors. Unified VRM grew out of our experience performing penetration tests and, as a result, covers the same asset classes you would expect from a human-powered test or real attack.
  3.  Unified VRM offers a proof-of-concept exploitation framework capable of showing that the identified vulnerabilities are indeed exploitable to take control of the targeted hosts. This Exploitation Module uses an extensive database of publicly available exploits and matches the discovered vulnerabilities and the available exploits based on CVEs. The exploitation can also be extended to the wireless network after a site survey has been performed and a target access point’s encrypted key has been discovered.

You can learn more about NopSec’s approach to penetration testing and how to address SANS Critical Control #20 by downloading the Best Practices Guide: Penetration Testing.