Welcome to Breakfast Bytes with Felicia King. Today, we delve deep into the often-misunderstood realm of penetration testing. As business owners grapple with the necessity and costs associated with these tests, Felicia demystifies the process, drawing from her three decades of cybersecurity expertise.
In this episode, discover why traditional penetration testing might just be a costly theater act and learn the importance of continuous vulnerability assessments. Felicia shares compelling anecdotes and practical advice on how to genuinely safeguard your business without burning through your budget.
Join us as we explore the intricate dance between IT teams, automated tools, and the critical decisions that can make or break your company's security posture. This is not just another tech talk; it’s a narrative that could redefine how you view cybersecurity investments.
Quick recap
Felicia emphasized the importance of understanding the objectives of the test, and cautioned against overpaying for tests that may not be necessary or effectively scoped.
Next steps
• IT team to implement continuous vulnerability assessment and penetration testing platforms for regular, automated security checks.
• CTO/CSO to assess and oversee the implementation of security tools like Tenable One and Senteon for secure configuration management.
• Executive management team to allocate budget and provide support for IT department/MSP to implement necessary security changes and tools.
Summary
Test Scope and IT Consultancy Management
Felicia also advised that the test should be scoped correctly and conducted by the IT consultancy that manages the company's networks, servers, and applications. She cautioned against overpaying for tests that may not be necessary or effectively scoped.
External Testing Approach and Cots Definition
She argued that the approach of bringing in an external third party to conduct a test without proper consultation and scope can lead to incorrect results. She emphasized that this approach would be more effective in identifying and addressing vulnerabilities, and would provide demonstrable results. Felicia also clarified the term 'COTS' as defined by the National Institute of Standards and Technology in the context of information security technology.
Enhancing IT Configuration for Business Acquisition
She argues that this approach provides more meaningful and actionable information, enabling IT configuration personnel to effectively address identified gaps. Felicia also highlights the importance of using recognized and professional tools like Tenable One and Senteon for secure configuration management. She emphasizes that this approach offers a better return on security investment and is more beneficial for businesses seeking to be acquired.
IT Testing and Business Decision Makers' Guidance
She suggests that business decision makers should provide clear direction and funding for IT before such tests are conducted.
Episode Transcript
Good morning. You're listening to Breakfast Bites, and I am Felicia King.
I am going to talk about penetration testing today because I got questions about penetration testing.
And this is not the first time that I've had those questions,
and I don't believe I've ever actually addressed that topic formally here.
But so here we go. I'm going to address it formally.
(00:20):
A question I received was many times business owners, business decision makers
will be feeling like they need to have penetration testing for one reason or another.
And they don't know where to go. Part of their questions are,
(00:40):
who should they use to get penetration testing done?
And of course, they're price conscious about these things and why shouldn't they be?
And so then the question I got was, what would I recommend?
And so let's just talk about this because I feel like it's actually a very complicated
(01:01):
subject that I actually appreciate a question like this because it gives me
an opportunity to share my three decades of experience in cybersecurity. security.
And one of the reasons that I started doing the Breakfast Bites show back in
2004 was specifically to try to help decision makers, whether they are consumers
(01:27):
or they are business decision makers.
But fundamentally, whoever is a consumer of a product or service that is technology
related, I've always been seeking to try to help those folks be making informed informed decisions.
And I think now more than ever, you really ought to be extremely thoughtful to counterparty risk.
(01:48):
And it can be very difficult to discern who is a trustworthy counterparty,
who is a vendor that you should be using.
I mean, look at CrowdStrike.
CrowdStrike's got some major problems. I'm not going to rehash that here.
I covered that on another recent show.
(02:10):
But counterparty risk and doing vendor assessment and deciding who you're going
to use for what, that is, it's an interesting thing to talk about.
And I think it's more important now than ever. Okay.
So let's talk about penetration testing. When somebody says,
should I have a penetration test?
(02:31):
Or they'll say to me something like, you know, my insurance company thinks I
ought to be having an annual penetration test.
I think the first thing that you have to start from is what exactly is your objective?
One of the most frustrating things that business owners, presidents of businesses
have conveyed to me in the past is they will tell me, and I've heard this so
(02:54):
many times, I've just lost track of it.
They'll say, we paid $20,000 for some testing or some assessment,
and we got these reports and we don't know what to do with it. and nothing got fixed.
Yep, that's oftentimes what happens. So if you're gonna have a, if you think,
(03:17):
if you're getting a proposal from somebody to spend $20,000 to get a penetration
test and you haven't already completely exhausted.
What you can do with automation tools run by your IT team.
Now, that's the key piece here. Who's your IT team?
(03:38):
Well, it's either going to be your internal IT department, and more often than
not, they do not have the capabilities to do these types of things.
So more often than not, it's going to be your IT consultancy that is going to help you with this.
So it could be your MSP, could be your MSSP, but ultimately,
you know, it's your IT consultancy of some shape, size, or flavor.
(03:59):
And the best way to figure out who those people are, is ask yourself the question,
who takes care of our networks and servers?
That's the question you ask. Who takes care of our email? Who takes care of
our network? Who takes care of our servers?
And if that's your MSP, then that's who should be in this conversation with
(04:20):
you where you are saying,
the insurance company thinks we need to have an annual penetration test,
but we really don't want to light even 7,500 on fire.
This is a price that I saw as recently as yesterday.
I've seen this price where I've seen $20,000, $30,000.
(04:41):
Scoping what is included in that penetration test is something that really should
only be done by the personnel of,
who manage all your SaaS apps, Office 365, et cetera, all your servers and all
your network, and all your endpoints for that matter.
(05:05):
So you need to have, if you're going to have a penetration test done,
it needs to be scoped correctly.
Most of the time, what I see is some executive who thinks that I'm going to
bring in this external third party, I'm going to do this thing under the radar.
I'm going to have them scope it out.
(05:25):
They're going to tell me the thing, and then I'm just going to tell the IT department what to do.
I guarantee you, every single time that's done, they think they're checking
up on the MSP or they're checking up on the IT department.
Every single time I've seen, and I've seen a lot of these, every single time
it is scoped incorrectly because the conversation was happening with the wrong
(05:49):
people, So therefore, the results that you get, not terribly helpful.
And it's usually a bit of a fear porn situation as well.
So you'll have somebody coming in and saying like, whoa, I got all these results.
All right, well, it wasn't even scoped correctly.
And unless you are a chief technology officer,
(06:11):
or unless you are a CISO with very strong technical capabilities,
You're probably not going to be able to tell reality from Shinola with regards
to the results of any report.
I've seen so many times where the penetration testing company grossly misrepresents
(06:35):
the results to business decision makers,
and there's a bunch of fear porn that's spewed around. It doesn't help anybody at all.
So if I had a client who came to me and said, our insurance company wants us
to have an annual penetration test, I would turn it and ask the question,
(06:57):
have you asked the insurance company or actually, can I just get on a meeting
with your insurance company?
Can I just ask them, would it be satisfactory to them if we actually implemented a continuous
penetration testing technology that was highly automated, that was very low
cost, that was in the hands of the people who manage the servers and the network
(07:21):
and Office 365 and everything else, okay?
And that those people are able to use that system as a tool to identify gaps,
they can then engage in a change management procedure to make a change to implement
maybe a more secure configuration.
(07:43):
And then they're going to be able to observe the altered results.
Hey, look, we fixed this problem and now we get good results. Demonstrable.
Not a baloney pucky of you pay somebody $7,500 or up to $30,000 to do some penetration tests,
(08:08):
and they give you a report.
Maybe they have a meeting with you and tell you what they think you should fix,
and then maybe you fix those things, and then maybe they run a re-scan.
As far as I'm concerned, that's just is lighting a ton of money on fire.
There is literally only one circumstance under which I want to pay even $7,500 for a penetration test.
(08:34):
And it's under the scenario that I've already spent the entire prior year with
a full-on, always, always-on, or regularized scheduled, is it every week?
Is it every month, every two weeks, whatever the heck it is,
you know, define the schedule,
but I'm basically going to use an automation tool to do continuous vulnerability
(08:57):
assessment and continuous penetration testing and continuous assessment of secure
configuration management. Oh, yeah.
Yeah, you need to get all of those things fixed first.
Otherwise, all you're doing is lighting that money on fire for the penetration test.
Because really what that penetration test should be doing is it should be finding
(09:19):
the things that you couldn't find using COTS.
What is COTS?
It's commercial off-the-shelf software.
That's what COTS is. And COTS is not a term I came up with. The federal government uses the term COTS.
That is, COTS is defined in the National Institutes of Standards and Technologies,
(09:42):
standards with regards to information security technology sort of things. So that's what COTS is.
So, penetration testing. It's a lot of FUD, fear, uncertainty, and doubt.
FUD, FUD, FUD. But the correct way to solve it is not to waste money on a penetration
test by an outsourced third party.
(10:03):
The correct way to approach it is you go say to the people who manage your SaaS applications,
your email system, your servers, your networks, and your endpoints,
and you say, I want you to put in a continuous vulnerability assessment platform,
and hopefully, preferably, also a continuous penetration testing platform that
(10:27):
is then going to produce reports that then provide enough directly,
actionable information so that the IT configuration personnel are able to know
objectively what the gaps are so that they can then go take actions to close those gaps.
And then the system will rescan and Kaizen, rinse and repeat this process.
(10:52):
The name of the game here is return on security investment.
You do not want a penetration test of theater.
And that's what paying an outsourced third party, $7,500, $10,000,
$20,000, $30,000, that's what it is. It's theater.
(11:12):
So let's just kind of turn the tables on a bit of another scenario.
Let's say I'm the CISO and CTO of an acquirer, right?
And you're trying to sell your business and you want to make your business look
as good as possible and produce these reports for the acquirer.
If you presented me reports that came out of Tenable One,
(11:38):
as an example, I would frankly be much happier with something that was truly
correctly scoped and reports that
actually came from a highly professional known tool like that,
rather than if you had paid for,
(12:01):
air quote, penetration, and I really use the term loosely, penetration testing
company, to run this process.
Because here's like the little dirty secret on the back end of the penetration testing services.
It's like a lot of the cybersecurity buzz.
It's like a giant honeypot. So you've got a whole bunch of salespeople that
(12:26):
are out there going like,
oh, hot doggy, I'm going to find somebody that I can hire to basically run automation platform,
and then we're going to market up bonkers and make $500 an hour bill rate on it.
I kid you not, this is what goes on. And it's a completely wrong paradigm because
(12:47):
of the fact that it completely obliviates the ability for the people who truly
are the ones who are responsible for secure configuration management to be able to have the budget,
to have the tools, so they can have the objective data to provide meaningful
(13:07):
return on security investment to the business.
So, if you were going to go blow $7,500 on a... These are the prices I see.
Publicly available on websites. $7,500, $10,000, $20,000, $30,000. Different scopes.
But ultimately, the floor I see is like $7,500 for that.
(13:31):
Viewside, I'm going to give you $7,500 to give us some very meaningful stuff
to make our company look really, really, really good, ready for an acquisition, right?
We want to get paid top dollar in a purchase.
I know exactly what I'd do. I'd get tenable one.
I would get a product called Cention for secure configuration management.
(13:53):
And I would ensure that there was a systems management platform.
I would ensure that there is a really quality EPDR platform with an integrated
knock and sock, but not outsourced.
So let's be clear, not outsourced. The paradigm I'm conveying to you is that
the power comes from not playing games with trying to have three different vendors involved,
(14:22):
you know, or two different vendors involved.
It needs to be, you need to figure out who's your chief technology officer.
Not your IT director, not your IT manager, not your PC technician.
No, I'm actually talking about like a real CTO here.
Go to your CTO or your CISO and they need to be in charge of this.
(14:46):
They need to be the ones who are assessing this scenario because I see too much
where it's just this fear porn gets spewed and somebody thinks they're going
to play sneaky Pete on the IT department or the MSP.
Well we're going to run this penetration test because we
gotta you know we gotta check out whether or not you're really doing your job
(15:07):
i mean it's just such a pile of baloney because the
reality is that until the business
decision makers actually say we're gonna fund you having these tools so that
you have the objective data to know what to go correct and that we actually
(15:29):
want you to do that type of stuff.
Until that happens, whoever is doing the IT, whether it's the MSP or the internal
IT department, they don't have the resources, nor do they have the political
will and backing by the management team to do those changes.
I'll give you a great example.
I made recommendation to a company to disable SMS as an MFA mechanism for M365.
(15:53):
The executive management team wouldn't make a decision about it.
So, no, that's a very typical thing.
So, you know, you cannot be falling into this trap of saying that we're going
to use penetration testing to check whether or not the IT department is doing
what they're supposed to be doing.
Because how do you even know what they're supposed to be doing?
You know, if the executive management team has not actually said,
(16:18):
we want this, we support it.
And in fact, most of the time, they're sending exactly the opposite messaging. And that's the problem.
The messaging that they frequently send is that IT is an expense,
and I don't want you to spend money on anything. Okay.
So there you go. That's the real skinny on penetration testing.
(16:42):
I completely reject the concept
of hiring an outsourced third-party penetration testing company to run a penetration
test when you haven't already penetration tested the heck out of yourself with your own IT team.
(17:03):
And that you've already closed all the gaps that you were aware of and then
became aware of as a product of the tool.
And that as far as you're concerned, you think you've got flying colors now. Look at us.
(17:23):
We're getting awesome reports out of this. We are the super goodness.
That's that's when you actually go
and hire a very high quality penetration testing company who can do very sophisticated
advanced things that the continuous
(17:43):
penetration testing software cannot do but i'm going to caveat it.
And saying that you better have a regulatory requirement to justify that expenditure
because the floor for something like that is in the range of 30 grand.
And the vast majority of organizations that are out there do not need to spend that money.
(18:05):
The vast majority do not
need that kind of advanced humans literally
like walking into the parking lot with usb flash drives with malware on them
and dropping a flash drive in the parking lot and then trying to get into a
building and you know i mean like that's the kind of stuff that happens when
(18:27):
you've actually got a really hardcore you know penetration test and so why are we paying humans,
the wrong humans, I might add, to do work that simply the purchase of the correct
technology and putting it in the hands of the people who actually maintain those
and manage those systems on a daily basis,
(18:49):
those are the people that need to be empowered.
So there you go. I bet that's not the answer you expected about penetration
testing, but that's the real skinny on penetration testing.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.