Accounting for key business security concerns in penetration testing

When it comes to penetration testing, if you have a good idea what you are really worried about as a business, you can get better results.  The more we know about you, your business and your security concerns when we conduct your pentest, the more focussed and accurate our risk ratings can be, and the more tailored to your environment our advice can be.

An important part of ensuring that our penetration tests cover all relevant techniques and tactics lies in understanding the functional and security requirements of the system or application in scope for testing – we work closely with our customers to capture this information during the scoping of any penetration test, and during initial conversations with the testing team to ensure that we understand the environment that the system or application is deployed in, the use cases for the application and what the relevant threats and concerns are.

As well as conducting standard linear penetration testing, we also address specific scenarios of concern to our customers considering the relevant threats to your systems and your business.  We try to capture scenario-based principal security concerns during scoping.  When embraced by our customers, this approach allows us to directly address scenarios of concern to risk owners and regulators by answering specific questions.  As an example, a risk owner might wish to answer a question about whether audit controls for a particular user type are robust, or whether there are any mechanisms to bypass these controls. 

When we understand the threats to the business, we can follow a threat-led approach and simulate activities from both unauthenticated and authenticated adversaries, following our robust methodology.  As ever, we use both automated tools and manual expert analysis to ensure that we achieve rigorous coverage during our assessments.  When we understand the risk landscape, we can also demonstrate aggregate risk in our reports, and attack paths that might be taken by an adversary to chain vulnerabilities together and achieve an objective. Often, this is important for full appreciation of the risk.

As an example of the importance of context, we recently conducted an assessment for a bank which assessed its application authentication mechanism - a key component for the security of all services that the bank provided.  The authentication mechanism was based on a COTS product but implementation of the technology in use was new, and the high threat meant that complete coverage of assurance testing was critical for the bank to maintain the right level of security and compliance around the solution.  The customer's principal security concerns revolved around organised criminal gangs targeting the bank's consumer userbase via phishing attacks.

We conducted a comprehensive penetration test of the authentication mechanism, including associated APIs and mobile applications.

The assessment of the solution did not identify any individual vulnerabilities or weaknesses presenting a risk above a 'moderate' level - and most findings were low risk in isolation.  In understanding the requirements of the solution and the threat environment surrounding the application, the testing team was able to chain the identified vulnerabilities and weaknesses together to prove a viable attack chain which would lead to account compromise via a phishing campaign against bank consumers - representing a high overall risk to the bank. 

Because our consultants were able to capture and contextualise this aggregate risk to our customer, our customer was able to dedicate the right resources to disrupting that potential attack path and therefore prevent exploitation of this risk once the application was launched.  Had we not understood the key concerns for the application and the security assumptions being made, those moderate and low risk findings might not have been accorded the right priority.

For anybody who isn't sure how to get the best value for money from their penetration testing, there's an actionable message here: Understand what keeps you awake at night worrying, and build a relationship with your penetration testing provider which means they can bring that context to their testing for you.