Pen Testing After a Significant Change
by Sarah Harvey / October 8th, 2019
Penetration testing, or pen testing, is a proactive way that organizations can improve their security hygiene and assure their clients that the products and services they provide are as secure as possible. While many enterprises rely on internal audit teams to test the security of their networks, applications, and devices, undergoing third-party penetration testing is a surefire way to identify overlooked or unknown vulnerabilities, find remediation strategies and guidance, and gain peace of mind. But because, often times, pen tests are merely a suggestion – like with HIPAA – or are only required annually – like with the PCI DSS – organizations overlook the value of undergoing pen testing after a significant change is made.
What Constitutes a Significant Change?
Think about the many components of your organization’s security infrastructure: software, hardware, networks, and even your personnel. How often are updates made to your software? How frequently do you replace hardware? What does your organization’s turnover rate look like? The goal of pen testing is to identify vulnerabilities in your IT infrastructure, which is constantly changing. When a significant change occurs, like developing a new web application, implementing a new smart security system, or having a senior-level executive retire, penetration tests are needed to account for any new risks or vulnerabilities that may be introduced.
Examples of Significant Change
Example 1: Updating Code in a Web Application
According to Verizon’s 2019 Data Breach Investigations Report, “Web application breaches made up nearly 30% of all breaches in 2018.” This should come as no surprise – nearly every organization uses web applications to provide or conduct business, and no matter if they are public-facing or exist on an intranet, they’re susceptible to many cyber threats like SQL injection, DoS, brute-force attacks, or malware. Let’s say that a director of IT has instructed her team to implement and deploy new code. While this code may be developed with security in mind and may go through ample security testing, there could still be undiscovered vulnerabilities. By undergoing pen testing and code review after developing the new code, organizations can rest assured that they performed their due diligence to make sure that the improved web application is secure.
Example 2: Introducing New IoT Devices
IoT devices have made daily tasks easier – from making coffee in the morning to securing your office building. But how might these devices compromise your organization’s security hygiene? Even the smallest, seemingly non-threatening IoT device could cause the demise of your organization if a malicious hacker used it to gain unauthorized access to your network. For instance, let’s say that your coworker brought in a smart picture frame – one that connects to your organization’s WiFi network to display images from your coworker’s phone. Seems pretty harmless, right? Now, if everyone in your organization did something similar, there would be multiple, seemingly non-threatening attack vectors that a malicious hacker could exploit. In scenarios like this, having a robust information security program, thorough internal auditing, and third-party continuous pen testing would be useful to discover new vulnerabilities the IoT devices may introduce.
Example 3: Accounting for Personnel Changes
Major changes to personnel can greatly impact your organization’s security hygiene. If a CISO or CTO leaves, how would that impact the entire IT department? If a developer or network administrator resigns, how would their responsibilities be covered or reassigned? Does the culture of compliance stay intact? Personnel changes are just as likely to introduce new risks into your environment and undergoing continuous pen testing can help account for those changes.
How Can Continuous Pen Testing Help?
Undergoing annual penetration testing is a great first step for improving your organization’s security hygiene, but to really get the most out of your investment in pen testing, you should consider partnering with a third-party firm like KirkpatrickPrice to conduct continuous pen tests. Why? Because changes happen every day, and malicious hackers won’t give you an opportunity to fix the vulnerabilities those changes introduce before they exploit them. By investing in third-party continuous pen testing, organizations like yours will not only gain an objective insight into the security of your IT infrastructure on a regular basis, receive actionable remediation steps to mitigate vulnerabilities, and maintain compliance, but you’ll also be able to leverage your commit to security and give your customers peace of mind that your organization is doing everything it can to remain secure.
Businesses today are rapidly adopting new technologies, but are they staying ahead of the latest threats? Ask yourself if your organization is doing everything you can to prevent a data breach or security incident when the next significant change occurs. Not sure if you are? Contact us today to find out how KirkpatrickPrice’s penetration testing services can help.
More Penetration Testing Resources
Not All Pen Tests Are Created Equal
