A typical scenario emerges. The CISO receives this 'bloodstained' Pen-test report from the pen-testing company and one of the following usually happens:
- The CISO utters words like 'This problem will be fixed in the next week, or I will not rest' and subsequently files it in his cupboard and forgets about it for posterity until there is a massive security breach.
- The CISO delegates to the IT team or the team handling the implementation and they provide an excel sheet saying that they fixed (even though they didn't) and the CISO believes it because they are (supposed to be) doing their job. The problem festers.....
- The CISO receives the report and shares very limited (or even wrong) information to his key staff because of 'security reasons' or reasons of distrust. This leads to limited action because no one trusts anyone and the organization stays blissfully insecure (and not only emotionally).
- The CISO doesnt understand the technicalities. Blanket statements about IT security and governance are made and the ground realities are forgotten until a security breach shakes the very ground beneath them.
Quality: A good quality pen-test should be the first focus area for the CISO. The pen-test is conducted against the scoped IT environment (the IT components in scope for the test). The pen-tester should have used a solid methodology (Look for a specific 'methodology' section in the report). Most Pen-tests are not really Pen-Tests but cursory Vulnerability Assessments where the pen-tester has run some automated tools and identified vulnerabilities. The focus should be on depth, and depth is achieved through penetration attempts against the target IT component and the results from said penetration. A critical aspect of a quality pen-test is the report. The report has to be clear, comprehensive and provide specific recommendations on the given vulnerabilities. The report should ensure that the implementers should be able to comprehend and implement the provided recommendation. Another note to CISOs, DO NOT automatically accept a lower cost penetration test, it usually means lower quality. These are matters of your organization's information security.
Communication: I recently came across a CISO who wouldn't share results of the pen-test with the Implementation teams that required to fix it, citing 'Security reasons' as he didnt trust any of them to deliver. Many CISOs do not follow the 'Trust but verify' rule because they do not have the skills to verify. They provide limited (or even wrong) information to their implementation team on fixes and these cursory fixes are of little value in effectively correcting the vulnerability in the system(s). CISOs should communicate effectively with the Implementation teams, providing them enough information required to comprehensively fix the issue. Meaningful data, such as screenshots, downloaded files provided as a part of the pen-tester's results should be provided to the implementation team for them to grasp the issue and fix the vulnerability as effectively as possible.
Project Management: A Penetration Test, from a CISO's standpoint is a project in itself. The CISO has to define a project management plan for the fixes of the vulnerabilities. Based on the Risk Ranking of the vulnerabilities, the fixes should happen based on defined timelines. The culture of Information Security is tough to implement, as people will naturally tend to be convenience oriented, as opposed to security oriented, and this behaviour would manifest itself as vulnerabilities in the IT systems of the organization. The CISO has to cultivate a culture of security execution, where every team responsible for the fixes, delivers on the fixes and these fixes are verified by effectiveness and propriety before being signed off on. Sometimes, there are certain long-term or deep-rooted fixes that take a much longer time or effort in fixing. For instance, implementing encryption on a production database containing millions of records. The implementation of the fix in this scenario is a complicated one, requiring redesign and downtime. In that case, the CISO should actively consider and design compensatory controls to ensure that the lack of primary control is suitably compensated with the secondary control. The CISO should also contract with the pen-tester (either internal or external) to perform a re-test of the previous scope to ensure that the vulnerabilities have been fixed.
Review of Processes: Oftentimes, I have noticed that CISOs blindly fix results without paying heed to a flawed process/culture that would have led to the vulnerability existing in the first place. This is commonly seen with patch management, where a flawed patch management process would lead to inconsistent application of security patches across critical systems, allowing vulnerabilities in previous versions to still be at large, providing easy access to an attacker through a Code Execution exploit or a Denial of Service Exploit against the vulnerable system. The CISO should review and relook at the processes and procedures that exist in the organization and consider amending/overhauling the processes based on evolving security threats and the organization's response to it. This can ideally be achieved by reviewing pen-test or Vulnerability Assessment results from previous quarters or years.
Consistency: A Penetration Test is not a one-time activity (or atleast, it shouldn't be). The CISO should ensure that a pen-test is conducted bi-annually with a quarterly Vulnerability Assessment. Threats evolve consistently and exploit code is written every day for myriad software and applications. This necessitates the need for a repetitive assessment of the organization's IT environment over a period of time. In case the organization's IT environment is massive. The Penetration Test should cover representative samples of all IT components like routers, firewalls, desktops, servers and applications. The findings from all these tests should be used to harden the rest of the components in those sample classes.
Penetration Testing is a tough gig to take for entities. More often than not, they find themselves staring at very adverse results. They often lose heart and this exercise becomes nothing more than lip-service or a compliance check. Using some of these techniques, I have discussed (and I am sure there are many other concepts) I think CISOs or their equivalents in organizations can make a positive and meaningful change in the security stance of their organization.