Test Me Again

“Nation-state threat actor” is pretty bad.  “Malware-as-a-Service” is not great either.  But “misconfiguration” is probably the last thing I want to hear if we are responding to cybersecurity incident in our organization.

The reality is our adversaries are continuously testing our risk surfaces.  While most threats we see are opportunistic – if we are not matching their tenacity, we will lose the race to find and remediate our flaws, vulnerabilities – or mistakes – before they can be exploited.

I am endlessly thankful for the support I receive from my whole organization – from the executive office to the general staff – they are all supportive and willing to do their part to keep our organization safe.

Yet we continuously are testing their awareness with phish-testing – automated and randomized.  Their awareness is a critical metric of how good job we are doing in educating them to avoid the lures directed at them that seek to gain a foothold in our organization.

I have long promoted breach and attack simulation tools, and they are really maturing rapidly. For us, simulating thousands of attacks across various vectors has quantitively improved our security posture.  I have looked at our recent BAS testing scores and was pleased at the progress we have made – considering we thought ourselves pretty buttoned up before we implemented these tools.  But BAS testing has opened our eyes to somewhat permissive settings across our security controls that we worked to tighten down over time.

I am also fully on board with continuous crowd sourced penetration testing.  I understand that there are some controversies with the gig-model for the researchers and the issue of vulnerability disclosure NDAs – but for organizations that cannot hire armies of skilled red-team security professionals – this model does a fair job of emulating the tactics and techniques of the varied threat actors probing our digital assets an on-going basis.

Make no mistake – I really do believe in point in time, focused testing from traditional security services firms.  However, while certainly high quality assessments are valued by all stakeholders, their findings are only relevant until the first system change or new code deployed into the organization.

In between – automated and/or crowdsourced continuous testing is critical to try and meet the challenge and threats that are relentless – and potentially discover the human error and misconfigurations that are inevitable in any organization.