0:00

Good morning. You're listening to Breakfast Bites, and I am Felicia King.

0:03

I am going to talk about penetration testing today because I got questions about penetration testing.

0:11

And this is not the first time that I've had those questions,

0:13

and I don't believe I've ever actually addressed that topic formally here.

0:18

But so here we go. I'm going to address it formally.

0:20

A question I received was many times business owners, business decision makers

0:28

will be feeling like they need to have penetration testing for one reason or another.

0:34

And they don't know where to go. Part of their questions are,

0:40

who should they use to get penetration testing done?

0:44

And of course, they're price conscious about these things and why shouldn't they be?

0:51

And so then the question I got was, what would I recommend?

0:56

And so let's just talk about this because I feel like it's actually a very complicated

1:01

subject that I actually appreciate a question like this because it gives me

1:07

an opportunity to share my three decades of experience in cybersecurity. security.

1:14

And one of the reasons that I started doing the Breakfast Bites show back in

1:19

2004 was specifically to try to help decision makers, whether they are consumers

1:27

or they are business decision makers.

1:29

But fundamentally, whoever is a consumer of a product or service that is technology

1:35

related, I've always been seeking to try to help those folks be making informed informed decisions.

1:41

And I think now more than ever, you really ought to be extremely thoughtful to counterparty risk.

1:48

And it can be very difficult to discern who is a trustworthy counterparty,

1:54

who is a vendor that you should be using.

2:00

I mean, look at CrowdStrike. CrowdStrike's got some major problems. I'm not going to rehash that here.

2:06

I covered that on another recent show.

2:10

But counterparty risk and doing vendor assessment and deciding who you're going

2:16

to use for what, that is, it's an interesting thing to talk about.

2:21

And I think it's more important now than ever. Okay.

2:25

So let's talk about penetration testing. When somebody says,

2:29

should I have a penetration test? Or they'll say to me something like, you know, my insurance company thinks I

2:34

ought to be having an annual penetration test. I think the first thing that you have to start from is what exactly is your objective?

2:44

One of the most frustrating things that business owners, presidents of businesses

2:50

have conveyed to me in the past is they will tell me, and I've heard this so

2:54

many times, I've just lost track of it. They'll say, we paid $20,000 for some testing or some assessment,

3:01

and we got these reports and we don't know what to do with it. and nothing got fixed.

3:10

Yep, that's oftentimes what happens. So if you're gonna have a, if you think,

3:17

if you're getting a proposal from somebody to spend $20,000 to get a penetration

3:20

test and you haven't already completely exhausted.

3:26

What you can do with automation tools run by your IT team.

3:35

Now, that's the key piece here. Who's your IT team?

3:38

Well, it's either going to be your internal IT department, and more often than

3:42

not, they do not have the capabilities to do these types of things.

3:45

So more often than not, it's going to be your IT consultancy that is going to help you with this.

3:52

So it could be your MSP, could be your MSSP, but ultimately,

3:56

you know, it's your IT consultancy of some shape, size, or flavor.

3:59

And the best way to figure out who those people are, is ask yourself the question,

4:04

who takes care of our networks and servers?

4:07

That's the question you ask. Who takes care of our email? Who takes care of

4:11

our network? Who takes care of our servers? And if that's your MSP, then that's who should be in this conversation with

4:20

you where you are saying,

4:22

the insurance company thinks we need to have an annual penetration test,

4:27

but we really don't want to light even 7,500 on fire.

4:32

This is a price that I saw as recently as yesterday.

4:34

I've seen this price where I've seen $20,000, $30,000.

4:41

Scoping what is included in that penetration test is something that really should

4:49

only be done by the personnel of,

4:53

who manage all your SaaS apps, Office 365, et cetera, all your servers and all

5:01

your network, and all your endpoints for that matter.

5:05

So you need to have, if you're going to have a penetration test done,

5:08

it needs to be scoped correctly.

5:12

Most of the time, what I see is some executive who thinks that I'm going to

5:18

bring in this external third party, I'm going to do this thing under the radar.

5:23

I'm going to have them scope it out. They're going to tell me the thing, and then I'm just going to tell the IT department what to do.

5:29

I guarantee you, every single time that's done, they think they're checking

5:34

up on the MSP or they're checking up on the IT department.

5:40

Every single time I've seen, and I've seen a lot of these, every single time

5:44

it is scoped incorrectly because the conversation was happening with the wrong

5:49

people, So therefore, the results that you get, not terribly helpful.

5:55

And it's usually a bit of a fear porn situation as well.

6:00

So you'll have somebody coming in and saying like, whoa, I got all these results.

6:03

All right, well, it wasn't even scoped correctly.

6:08

And unless you are a chief technology officer,

6:11

or unless you are a CISO with very strong technical capabilities,

6:17

You're probably not going to be able to tell reality from Shinola with regards

6:23

to the results of any report.

6:26

I've seen so many times where the penetration testing company grossly misrepresents

6:35

the results to business decision makers,

6:40

and there's a bunch of fear porn that's spewed around. It doesn't help anybody at all.

6:47

So if I had a client who came to me and said, our insurance company wants us

6:51

to have an annual penetration test, I would turn it and ask the question,

6:57

have you asked the insurance company or actually, can I just get on a meeting

7:01

with your insurance company? Can I just ask them, would it be satisfactory to them if we actually implemented a continuous

7:11

penetration testing technology that was highly automated, that was very low

7:16

cost, that was in the hands of the people who manage the servers and the network

7:21

and Office 365 and everything else, okay?

7:25

And that those people are able to use that system as a tool to identify gaps,

7:33

they can then engage in a change management procedure to make a change to implement

7:40

maybe a more secure configuration.

7:43

And then they're going to be able to observe the altered results.

7:50

Hey, look, we fixed this problem and now we get good results. Demonstrable.

7:55

Not a baloney pucky of you pay somebody $7,500 or up to $30,000 to do some penetration tests,

8:08

and they give you a report.

8:12

Maybe they have a meeting with you and tell you what they think you should fix,

8:15

and then maybe you fix those things, and then maybe they run a re-scan.

8:19

As far as I'm concerned, that's just is lighting a ton of money on fire.

8:24

There is literally only one circumstance under which I want to pay even $7,500 for a penetration test.

8:34

And it's under the scenario that I've already spent the entire prior year with

8:41

a full-on, always, always-on, or regularized scheduled, is it every week?

8:49

Is it every month, every two weeks, whatever the heck it is,

8:51

you know, define the schedule, but I'm basically going to use an automation tool to do continuous vulnerability

8:57

assessment and continuous penetration testing and continuous assessment of secure

9:02

configuration management. Oh, yeah.

9:06

Yeah, you need to get all of those things fixed first.

9:10

Otherwise, all you're doing is lighting that money on fire for the penetration test.

9:15

Because really what that penetration test should be doing is it should be finding

9:19

the things that you couldn't find using COTS.

9:24

What is COTS? It's commercial off-the-shelf software.

9:31

That's what COTS is. And COTS is not a term I came up with. The federal government uses the term COTS.

9:37

That is, COTS is defined in the National Institutes of Standards and Technologies,

9:42

standards with regards to information security technology sort of things. So that's what COTS is.

9:48

So, penetration testing. It's a lot of FUD, fear, uncertainty, and doubt.

9:53

FUD, FUD, FUD. But the correct way to solve it is not to waste money on a penetration

10:00

test by an outsourced third party.

10:03

The correct way to approach it is you go say to the people who manage your SaaS applications,

10:10

your email system, your servers, your networks, and your endpoints,

10:12

and you say, I want you to put in a continuous vulnerability assessment platform,

10:20

and hopefully, preferably, also a continuous penetration testing platform that

10:27

is then going to produce reports that then provide enough directly,

10:33

actionable information so that the IT configuration personnel are able to know

10:39

objectively what the gaps are so that they can then go take actions to close those gaps.

10:45

And then the system will rescan and Kaizen, rinse and repeat this process.

10:52

The name of the game here is return on security investment.

10:56

You do not want a penetration test of theater.

11:02

And that's what paying an outsourced third party, $7,500, $10,000,

11:08

$20,000, $30,000, that's what it is. It's theater.

11:12

So let's just kind of turn the tables on a bit of another scenario.

11:16

Let's say I'm the CISO and CTO of an acquirer, right?

11:21

And you're trying to sell your business and you want to make your business look

11:27

as good as possible and produce these reports for the acquirer.

11:32

If you presented me reports that came out of Tenable One,

11:38

as an example, I would frankly be much happier with something that was truly

11:44

correctly scoped and reports that

11:49

actually came from a highly professional known tool like that,

11:56

rather than if you had paid for,

12:01

air quote, penetration, and I really use the term loosely, penetration testing

12:05

company, to run this process.

12:09

Because here's like the little dirty secret on the back end of the penetration testing services.

12:16

It's like a lot of the cybersecurity buzz.

12:20

It's like a giant honeypot. So you've got a whole bunch of salespeople that

12:26

are out there going like, oh, hot doggy, I'm going to find somebody that I can hire to basically run automation platform,

12:36

and then we're going to market up bonkers and make $500 an hour bill rate on it.

12:41

I kid you not, this is what goes on. And it's a completely wrong paradigm because

12:47

of the fact that it completely obliviates the ability for the people who truly

12:54

are the ones who are responsible for secure configuration management to be able to have the budget,

13:01

to have the tools, so they can have the objective data to provide meaningful

13:07

return on security investment to the business.

13:12

So, if you were going to go blow $7,500 on a... These are the prices I see.

13:19

Publicly available on websites. $7,500, $10,000, $20,000, $30,000. Different scopes.

13:25

But ultimately, the floor I see is like $7,500 for that.

13:31

Viewside, I'm going to give you $7,500 to give us some very meaningful stuff

13:36

to make our company look really, really, really good, ready for an acquisition, right?

13:42

We want to get paid top dollar in a purchase.

13:45

I know exactly what I'd do. I'd get tenable one.

13:49

I would get a product called Cention for secure configuration management.

13:53

And I would ensure that there was a systems management platform.

13:59

I would ensure that there is a really quality EPDR platform with an integrated

14:04

knock and sock, but not outsourced.

14:06

So let's be clear, not outsourced. The paradigm I'm conveying to you is that

14:12

the power comes from not playing games with trying to have three different vendors involved,

14:22

you know, or two different vendors involved.

14:25

It needs to be, you need to figure out who's your chief technology officer.

14:30

Not your IT director, not your IT manager, not your PC technician.

14:36

No, I'm actually talking about like a real CTO here.

14:40

Go to your CTO or your CISO and they need to be in charge of this.

14:46

They need to be the ones who are assessing this scenario because I see too much

14:52

where it's just this fear porn gets spewed and somebody thinks they're going

14:57

to play sneaky Pete on the IT department or the MSP.

15:01

Well we're going to run this penetration test because we

15:04

gotta you know we gotta check out whether or not you're really doing your job

15:07

i mean it's just such a pile of baloney because the

15:10

reality is that until the business

15:13

decision makers actually say we're gonna fund you having these tools so that

15:22

you have the objective data to know what to go correct and that we actually

15:29

want you to do that type of stuff. Until that happens, whoever is doing the IT, whether it's the MSP or the internal

15:37

IT department, they don't have the resources, nor do they have the political

15:41

will and backing by the management team to do those changes.

15:44

I'll give you a great example. I made recommendation to a company to disable SMS as an MFA mechanism for M365.

15:53

The executive management team wouldn't make a decision about it.

15:57

So, no, that's a very typical thing.

16:01

So, you know, you cannot be falling into this trap of saying that we're going

16:07

to use penetration testing to check whether or not the IT department is doing

16:10

what they're supposed to be doing. Because how do you even know what they're supposed to be doing?

16:13

You know, if the executive management team has not actually said,

16:18

we want this, we support it.

16:21

And in fact, most of the time, they're sending exactly the opposite messaging. And that's the problem.

16:28

The messaging that they frequently send is that IT is an expense,

16:33

and I don't want you to spend money on anything. Okay.

16:37

So there you go. That's the real skinny on penetration testing.

16:42

I completely reject the concept

16:46

of hiring an outsourced third-party penetration testing company to run a penetration

16:55

test when you haven't already penetration tested the heck out of yourself with your own IT team.

17:03

And that you've already closed all the gaps that you were aware of and then

17:11

became aware of as a product of the tool.

17:16

And that as far as you're concerned, you think you've got flying colors now. Look at us.

17:23

We're getting awesome reports out of this. We are the super goodness.

17:28

That's that's when you actually go

17:31

and hire a very high quality penetration testing company who can do very sophisticated

17:38

advanced things that the continuous

17:43

penetration testing software cannot do but i'm going to caveat it.

17:49

And saying that you better have a regulatory requirement to justify that expenditure

17:55

because the floor for something like that is in the range of 30 grand.

18:01

And the vast majority of organizations that are out there do not need to spend that money.

18:05

The vast majority do not

18:09

need that kind of advanced humans literally

18:14

like walking into the parking lot with usb flash drives with malware on them

18:20

and dropping a flash drive in the parking lot and then trying to get into a

18:23

building and you know i mean like that's the kind of stuff that happens when

18:27

you've actually got a really hardcore you know penetration test and so why are we paying humans,

18:34

the wrong humans, I might add, to do work that simply the purchase of the correct

18:42

technology and putting it in the hands of the people who actually maintain those

18:46

and manage those systems on a daily basis,

18:49

those are the people that need to be empowered. So there you go. I bet that's not the answer you expected about penetration

18:56

testing, but that's the real skinny on penetration testing.