#90 - A CISO’s Guide to Pentesting

A CISO’s Guide to Pentesting References https://en.wikipedia.org/wiki/Penetration_test https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf  https://pentest-standard.readthedocs.io/en/latest/ https://www.isecom.org/OSSTMM.3.pdf https://s2.security/the-mage-platform/ https://bishopfox.com/platform https://www.pentera.io/ https://www.youtube.com/watch?v=g3yROAs-oAc    **************************** Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.   Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand.   What is it Where are good places to order it What should I look for in a penetration testing provider What does a penetration testing provider need to provide What’s changing on this going forward First of all, let's talk about what a pentest is NOT.  It is not a simple vulnerability scan.  That's something you can do yourself with any number of publicly available tools.  However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest.  Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte?   Now let’s start with providing a definition of a penetration test.  According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system.  It’s really designed to show weaknesses in a system that can be exploited.  Let’s think of things we want to test.  It can be a website, an API, a mobile application, an endpoint, a firewall, etc.  There’s really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm.  You need to focus on high likelihood and impact because professional penetration tests are not cheap.  Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it’s not unheard of to go up to $100,000.  As a CISO you need to be able to defend this expenditure of resources.  So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significant Application or SOX applications once per year.   My friend John Strand, who founded Black Hills Information Security, pointed out in a recent webcast that sometimes you, the client, may not know what you mean by the term pentest.  Sometimes clients want just a vulnerability scan, or sometimes an external scan of vulnerabilities to identify risk, or sometimes a compromise assessment where a tester has access to a workstation and tries to work laterally, or sometimes a red team where a tester acts like a threat actor and tries to bypass controls, or a collaborative effort involving both red teams and blue teams to document gaps and to help defenders do their job better.  He goes on to state that your pentest objective should be to "provide evidence of the effectiveness of current defensive mechanisms and attack detection methodologies."   Please do not confuse a penetration test with a Red Team exercise.  A red team exercise just wants to accomplish an objective like steal data from an application.  A penetration test wants to enumerate vulnerabilities in a scoped target syste

Om Podcasten

Welcome to CISO Tradecraft®. A podcast designed to take you through the adventure of becoming a CISO. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.