What is an ISMS program?
The NCSC defines penetration testing as “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”
For the purposes of this article, we will couple this definition with that of an Information Security Management System (ISMS), which is “a set of policies, procedures, and roles designed to ensure cyber security risks are identified and managed.”
Many organizations maintain an ISMS for various reasons, such as obtaining ISO27001 certification, adhering to regulatory requirements, satisfying third-party demands, or following best practices. These entities often showcase their certifications and external approvals.
But how many of them thoroughly evaluate the effectiveness of their policy implementation?
An example of policy implementation can be a password policy that delineates a company’s expectations from its users, who are required to create and maintain robust passwords to safeguard an organization’s information assets from unauthorized access and compromise.
In this case, organizations should verify the adequacy of their policy implementation by conducting rigorous technical validation and ensuring that all legacy accounts conform to the established standards. Businesses should also have policies crafted by the organization sufficiently robust to withstand basic password-cracking tools.
How is an effective security program?
A powerful security program should combine documented policies with testing of the logical controls that are being implemented, often through defined penetration testing schedules.
This article will outline some of the key concepts and activities that can be undertaken, breaking them down into four control categories: Identify, Protect, Detect, and Respond and Recover.
Control Category 1 – Identify
Access Control Policy: An access control policy outlines the procedures and protocols that an organization must follow to manage access to its digital assets. It includes policies related to user authentication, password management, and authorization. To ensure that the access control policy is effective, an organization can use penetration testing to help identify weak authentication protocols, insecure password management practices, least privileged implementation and unauthorized access attempts. For instance, it’s possible that a user is conforming with Active Directory password requirements, but they’re utilizing dictionary words or even personal passwords involved in previous data breaches.
Security and Awareness Training: Security and awareness training is an essential component of an ISMS and not just a mere policy. The delivery of this training to employees can be in the form of online or interactive, instructor-led sessions. To gauge the efficacy of the training modules, phishing campaigns can be employed to assess the organization’s retention and comprehension level. Specialist training for particular roles, such as secure developer training, can further strengthen this. Another avenue may be to conduct a fully-fledged red team exercise to determine if the information acquired through phishing campaigns can be exploited to compromise the organization’s security posture.
Control Category 2 – Protect
Acceptable Use Policy: An acceptable use policy should encompass an organization’s expectations regarding employee usage and handling of end-user devices and company assets. Conducting a build review is a viable option to integrate penetration testing with acceptable use. This approach entails scrutinising the laptop’s operating system, applications, and peripheral devices to identify potential vulnerabilities that could compromise the security of the organization. By conducting a build review, an organization can identify areas where users may bypass the policy, as well as any potential risks arising from the use of removable media. This review can be supplemented with penetration testing, which involves simulating a real-world cyberattack to assess the efficacy of the laptop’s security controls.
Similarly, conducting a laptop compromise scenario can provide a valuable means of assessing the effectiveness of protective controls, including segmentation from other devices and the robustness of Intrusion Detection/Prevent Systems (IDS/IPS).
Physical Security Policy: A physical security policy will include the boundaries of the organizations physical sites and include (but are not limited to) the physical security controls such as; an occupied reception, RFID door passes, secure working areas, and clear desk/screen implementation. A physical penetration test and assessment can help determine correct locations for CCTV coverage, and general design principles for security, can ascertain how well these controls are working and often include elements of social engineering, such as whether or not the organization has a ‘challenge’ culture.
Control Category 3 – Detect
Network Security Policy: A network security policy is a set of technology and protocols that an organization must follow to secure its network infrastructure. It includes policies related to firewall configuration, intrusion detection, and access control. To ensure that the network security policy is effective, an organization can conduct application and network penetration testing, and vulnerability assessments to help identify network vulnerabilities such as open ports, outdated firmware, and weak passwords that can be exploited by attackers.
Secure Development Life Cycle (SDLC) Policy: A typical SDLC policy will incorporate secure system architecture and engineering principles, which are often supported by secure coding techniques and knowledge of common vulnerabilities such as the OWASP top 10. Application testing is a fundamental aspect of the development lifecycle and can be strengthened by external penetration testing. Penetration testing can assist in identifying potential vulnerabilities in an organization’s applications. For instance, it can highlight authentication, authorization, input validation, and session management weaknesses.
Related to SDLC is testing of the web applications, such as company websites, which is especially important for dynamic websites that utilize login procedures. Website penetration testing involves testing the security and functionality of an organization’s website. Penetration testing can help identify potential vulnerabilities in the website, such as SQL injection, cross-site scripting, and broken authentication and session management. Often a web application test can cover multiple controls across protect, detect, and by proxy other controls in identifying and recovery, depending on how the internal teams handle such tests.
Control Category 4 – Respond and Recover
Incident Response Policy: An incident response policy outlines the procedures and protocols that an organization must follow in case of a cyberattack. It includes policies and procedures related to incident preparation, detection and analysis, response and recovery, and lessons learned.
Two types of testing can help improve policies: desktop-style review and a technical simulation, such as a simulated ransomware assessment, or laptop compromise scenarios. Exercises can help identify potential weaknesses in the incident response plan, such as inadequate communication protocols, slow response times, and ineffective recovery procedures.
Applying Concepts to Cloud Environment
The concepts outlined in the four control categories are not limited to traditional infrastructure but can also be applied to your cloud environment. Conducting configuration reviews is crucial to ensure that the cloud system is properly configured and in compliance with the organization’s security policies. During these reviews, various aspects are examined, including the configuration of network security groups, firewall rules, access control lists, identity and access management policies, data encryption, and data retention policies. This comprehensive assessment helps to identify any misconfigurations or vulnerabilities that could pose a risk to the security of the cloud environment. By conducting these reviews, organizations can maintain a robust security posture in the cloud and protect their valuable data from unauthorized access or breaches.
Integrate penetration testing and security policies
The incorporation of penetration testing with security policies is crucial to comprehensively assess your infrastructure. If you have not yet tested any of the technical aspects of your policies, it is recommended that you begin to do so.
Scheduled penetration testing can be performed on a defined timetable to facilitate budgeting and planning, or in the event of significant changes to the infrastructure. In the same way that we expect our staff to grasp security training, organizations must have a complete understanding of their infrastructure. Organizations should also be considering the other activities to include as part of their security program, such as internal auditing, risk assessments and threat modeling.
The consequences of a successful cyberattack can be significant and long-lasting, making any form of testing conducted by the organization a sound investment in its security. The benefits of identifying and remedying vulnerabilities far exceed the costs of failing to do so. By mitigating potential threats, organizations can significantly lower the risk of successful cyberattacks, safeguarding their brand reputation and the trust of their customers.