When you hear the term “pen testing,” what do you envision? A web app test done with a dynamic scanning tool? A test done by a human being who’s digging deep to replicate what an attacker would do in the real world?
What about the term “network pen testing?” An automated discovery of your network infrastructure resulting in a pages-long report on what assets you have? A real-life person examining how your network is architected in order to flesh out vulnerabilities?
Depending on who you ask, each of the responses above could be right. And therein lies the conundrum. There’s no standardized lexicon in the cybersecurity world and it’s causing confusion among independent and organizational security professionals alike.
For organizations, the challenge is using the right terminology so they can seek out and price comparable services to meet their security needs, as well as understand exactly what they’re consuming from the security professionals they engage. For cybersecurity professionals, the hurdle lies in understanding just what an organization needs and expects to accomplish its security goals. And, if your industry is compliance-focused, regulatory drivers will also determine what type of assessments your company must perform, making it critical that you get your terminology right.
Clearing away confusion for cybersecurity terms
With these thoughts in mind, I hope to clear up some of the confusion with the following glossary all centered around penetration testing. First, let’s look at a few obvious terms.
Just what they sound like, adversary simulations enable you to obtain a comprehensive assessment of your company’s capacity to identify and respond to real-world threats and breach scenarios. Methods used include detective control testing, red team security operations (or red teaming) and social engineering penetration testing.
Secure code review
Secure code review techniques inspect source code and compiled code to identify security bugs, with full visibility into how an application is stitched together. There are many vulnerabilities that are hard to detect during penetration testing; source code review can complement an organization’s penetration testing efforts to more comprehensively detect vulnerabilities and, in many cases, identify vulnerabilities that are not possible to discover during dynamic testing and analysis.
This refers to penetration testing methods used to identify, validate and prioritize vulnerabilities in web, mobile, thick and virtual applications. Through application penetration testing, actionable guidance for remediating vulnerabilities and improving risk posture is critical.
There are several types of network penetration testing that companies should know about.
External. Identifies high-impact vulnerabilities in systems, web applications and cloud environments exposed to the internet. Testing also includes identifying insecure federated service configurations and sensitive data being stored in publicly accessible locations.
Internal. Detects high-impact vulnerabilities found in systems, web applications, Active Directory configurations, network protocol configurations and password management policies. These penetration tests often include network segmentation testing to determine if the controls isolating your crown jewels are sufficient.
Mainframe. With mainframes being one of a business’s most critical infrastructure, mainframe penetration testing provides actionable guidance to improve its security from the perspective of both an unauthenticated and authenticated attacker.
Wireless. Wireless penetration testing pinpoints security issues in wireless devices and wireless networks that could be used to breach or damage a network.
Newer cybersecurity terms confusing companies
Now, let’s take a look at two relatively new terms that are really muddying the waters, cloud testing and host-based testing.
People have been using the term “cloud” very loosely, and that’s a challenge. To some, the cloud means using software-as-a-service like Salesforce. To others, it exemplifies service from the likes of Amazon Web Services, Azure or Google Cloud for infrastructure that enables their business. A cloud platform can create exposure from network, application and configuration vulnerabilities that can result in external access to company credentials, internal systems and sensitive data. Depending on how you’re using “the cloud,” testing services can range from:
- system and services discovery;
- automated vulnerability scanning and manual verification;
- manual network protocol attacks;
- manual dictionary attacks;
- network pivoting;
- domain privilege escalation; and
- access sensitive data and critical systems.
Essentially, these services are helping to test and secure the cloud ecosystem that’s supporting an organization’s applications and business operations.
Host-based testing covers a wide range of tech, from desktop computers and laptops to virtual desktop infrastructure and application servers. Much attention has been placed on host-based testing recently because of the COVID-19 pandemic.
In March, a lot of organizations were in a rush to enable their employees to work from home. They focused more on granting employee access to technology than thinking through potential security impacts. For example, some companies assigned old computers with deprecated versions of Windows to employees, due to a shortage of Windows licenses. Others employed outdated VPN infrastructures with inherent, commonly known vulnerabilities so they could quickly enable remote desktop connections. Still others had their employees take their workplace desktops home and plug them into their home networks. All hasty decisions that have now changed these organizations’ threat landscape.
Host-based testing to the rescue. Host-based assessments may include the review of physical security controls, software security controls, user and group configurations, local access control configurations, local system configurations, local patch configurations, clear text storage of passwords and clear text storage of sensitive data. The biggest thing to realize about host-based testing is that it isn’t a one-time operation, as many believe it to be. With business environments more fluid than ever, the threat landscape is constantly evolving, which means that host-based assessments must occur on a regular basis.
One final cybersecurity term to know
All of the assessments discussed here are good at identifying security vulnerabilities. However, none of them are designed to holistically look at an entire workplace environment to find potential design flaws or vulnerabilities.
Say I come into your home to do a security inspection. I’ll see that the doors have locks; they turn the right way. If I press this button, the lights go on, etc. Each of these is merely a spot check — a specific point where you could fix an issue if there is one.
Now, imagine that you give me a blueprint to your house. I can see the architectural structure, where the studs are, how deep the foundation is, etc. I learn what materials were used to build the structure. With the blueprint, I have a much deeper understanding of the house and whether or not it contains design flaws. I don’t have to rely on just spot checking.
The same concept can be applied to cybersecurity with a service called threat modeling, which looks at a system from an architectural level and identifies potential security design flaws. This is critical, because we know that a large number of security issues are due to design-level flaws. Therefore, I suggest that “threat modeling” be added to your vocabulary and the top of your list when it comes to your security game.
Standardizing cybersecurity terms so everyone understands
Organizations are always-on, so your security should be too. Unfortunately, we often see that an inadequate security test can leave a company with a false sense of security. If, as an industry, we strive to talk the same language, I’m confident that ambiguity can be alleviated and techniques to find and exploit security gaps and vulnerabilities can be mobilized more quickly so that cybersecurity professionals can swiftly prioritize the most important vulnerabilities and orchestrate speedier remediation.
About the author
Nabil Hannan is a managing director at NetSPI. He leads the company’s consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Nabil has over 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pen testing, secure code review and vulnerability remediation.