November 25, 2019
Penetration testing can be the best way to demonstrate the ROI of security expenditures and your entire security posture, but establishing a comprehensive “scope of work” is critical, according to pentesting expert and security consultant Michael Glasser at an educational session during ISC East in New York City recently.
Glasser noted the recent Iowa case in which two pentesters, hired by a state agency to break into a county courthouse, were arrested by the county sheriff. The testers had a contract and a scope-of-work document defining what their activities could be, but there was a dispute between the state and the county as to whose responsibility the security of that building was. Glasser noted that, if you are contracting with pentesters to test security, make sure you have the authority to allow that testing.
“Who is allowed to contract you to break into a place?” Glasser asked on behalf of pentesters everywhere. “What is the scope of work? Is the FBI allowed to ask you to break in to the CIA? As an IT security guy, do you have the authority to contract with a company to break in physically to see if they can access the network that way?”
For companies considering contracting with pentesting, Glasser went through their process. They model the appropriate threat to give clients an idea what they actually should be worried about, gather intelligence, make an initial entry (during which they often don’t take anything, they enable further, repeatable access), make full entry and perform return visits to see what kinds of threats they can carry out.
Glasser then demonstrated some of the simple things bad actors can do to circumvent a company’s security and create either monetary, physical or reputational loss. Proximity card copiers are available on Amazon for less than $10; simple devices can give access to a card reader; and bad actors can easily change out lock cylinders on publicly accessible doors (and then other doors) from which they could reverse engineer a master key.
As security executives, manufacturers of security products and integrators of security systems, Glasser noted that pentesters might be seen as an adversary, but as long as sellers of those products and services are honest about their limitations, pentesting should be a complementary part of the process that makes everyone better.
“If you made your customer aware of the risks and vulnerabilities and I’m simply proving something to them, that they’ve made an educated decision around accepting that risk, that’s okay,” he said. “But, it’s your job to make sure they’re prepared.”