By now, even small organizations should know that they need periodic penetration testing focused on their critical processes if they hope to secure and protect their data. The question is, when this testing is being performed, are they getting something of value or just another checkbox on a compliance form? At MicroSolved, we believe in the first and we think you should get the latter naturally from the exercise. The problem is, the effort is NOT vice-versa.
Compliance-centric penetration testing is when the simulated attacker really takes the eye of an auditor. They focus only on testing the surfaces, elements and data sources absolutely required by the standard you are being tested against. These “penetration tests” are usually little more than a vulnerability scan and a run through by an engineer who “validates” that you are vulnerable. Little attention is paid to impact of compromise, how compromised systems and their information could be leveraged to get to the critical information or data and vulnerability chains (complex failures that cascade) are often ignored or completely unidentified. You can tell if the assessment is compliance-centric if the assessment doesn’t include items like testing multi-stage attacks, simulated malware and simulated social engineering failures. In many cases, for example, in the MicroSolved testing methodology, these attack surfaces are exercised, monitored, modeled and then regardless of outcome, emulated as if they failed during internal assessments to ensure reliable, real-world impacts are measured.
Threat-centric penetration testing, which by now, you probably know, is what MicroSolved is famous for. Our process doesn’t focus on compliance. It focuses on protecting your assets against the real world threats. We perform like an attacker, NOT like an auditor. We map attack surfaces, compare them to the real world, real-time data streams we get from the HoneyPoint Internet Threat Monitoring Environment (HITME) every day. We take our knowledge of what attackers do and how they work and apply it to your organization. We test the attack surfaces and note how they respond. We model what would happen if your controls succeed and what happens when they fail. Our testing takes a little while longer, and in some cases is a bit more expensive than the “scan and verify” providers, because our penetration team measures your systems against complex, multi-stage leveraged attacks just like you should expect from a real-world attacker targeting your data. We crack passwords, steal documents, social engineer your team, root through your electronic trash (and sometimes even the physical trash) and tear into your internal networks just as if we were a bot-herder, a malware author or a bad guy who got a job in customer service or the mailroom. We work with you to establish the scope and bounds of the exercise, but in the end, you get a real, true and holistic look at your defenses and the ways you can improve. You also get the capability to check that compliance box with the full knowledge and confidence that you tested not just their limited scope or with blinders on approach, but against a real-world, bleeding edge group of attackers focused on getting YOUR data.
At MicroSolved, we think that if you’re going to spend money on penetration testing, you should get what you pay for. You should get a real measurement against real threats and a real idea of what needs to be improved. If all you want is a checkbox, you can find plenty of folks to “scan and forget” with prices starting at FREE and ending at hundreds of thousands of dollars. Their cookie-cutter processes should let you check the box on your next set of forms, but maybe not sleep at night while you wonder if the data is really OK. On the other hand, working with a real-world emulating, threat-centric team, might cost a little more in the short run, but just of the money you’ll be saving in fines, legal fees and forensics costs for each attack vector mitigated in the event of a compromise. Give us a call. We’ll be happy to tell you more or work with you to set up a project to help you evaluate other penetration testing teams where MSI might not be a perfect fit.