5 Reasons to Conduct Penetration Tests

Want an eye-opening view of your institution’s true vulnerability? Conduct penetration (pen) testing. Pen testing, when performed by experienced, qualified, and ethical hackers, can either give you peace of mind and allow you to sleep well or show you weaknesses that will keep you up at night. Whatever the outcome, organizations are always glad they conducted a pen test.

To be clear, this is not a basic security scan or assessment to identify vulnerabilities. This is actually trying to compromise security or “hack” into your network. Scans and assessments have their place and should be performed routinely. But pen testing raises the bar and puts your defenses (and people) to the test against a real-world attack.

Here are the top five reasons why your financial institution should include pen testing in its security repertoire:

1. Validate Controls. As cybersecurity professionals, we commonly hear claims from plenty of IT people defending their efforts. They’ll say, “We couldn’t get hacked because we have X-Y-Z in place,” or “You wouldn’t have found that vulnerability if we didn’t give you access to A-B-C.” All that may be true—but prove it. IT leaders worth their salt will welcome the opportunity to do a stress test. This will either give C-level management confidence in the investments that have been made or provide a valuable learning opportunity and justify investments in additional controls.

    

2. Prioritize Risk. It can be hard for financial institutions to keep up with competing priorities resulting from new technology, evolving threats, and increased regulatory scrutiny. Unlike a vulnerability assessment that results in a laundry list of “to-dos,” pen tests will identify issues that must be fixed right away. For example, if your boat is taking on water because there’s a hole in the hull, you know it must be fixed before repairing the seat cushions. There is no better way to establish security priorities than by proving the potential of exploits and quantifying the magnitude of potential business and operational impacts of successful attacks.

    

3. Improve Detection and Alerting. Considering that the average time between network compromise and detection is over 200 days, it is critical that your financial institution has “layered security” to detect breaches as soon as possible. Some institutions have in-house solutions to monitor security, but most outsource this responsibility to a vendor. In either case, penetration testing provides a great opportunity to test the effectiveness of your detective controls, ensuring they are properly tuned—and that you are getting what you pay for if you use a vendor. 

    

4. Find the Backdoors. Sometimes when looking at individual controls, it is easy to miss “gaps” between layered security controls. It’s like having the strongest lock in the world to protect the front door of your home but leaving the key under the mat; the lock is meaningless and your family is still at risk. Good penetration testers will not only assess the quality of your locks, but also look under the mats and use other tactics to identify the backdoors that put your financial institution at risk. Getting this outside perspective by a motivated attacker helps to discover vulnerabilities that may not be seen using an insider’s lens.

    

5. Comply With Regulatory Guidance. With the release of the FFIEC Information Security Handbook in September 2016 and the introduction of the FFIEC Cybersecurity Assessment Tool (CSAT), there is finally some definition and guidance around pen testing. Previously, the guidance was loose, causing confusion for institutions. This also allowed vendors to market basic scanning and assessment services as “penetration tests,” which they are not.

Now, the FFIEC clearly defines penetration testing in the glossary of the Information Security Handbook:

Penetration test: The process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others.

By clarifying that penetration testing must be completed by qualified personnel who can conduct “real-world attacks,” the FFIEC clearly distinguishes pen testing from vulnerability scanning services.

There are also several references in the handbook as to how financial institutions should incorporate pen testing into their testing and audit plans to complement scan and assessment activities. Furthermore, the FFIEC CSAT provides the following guidance as a cybersecurity baseline control (Domain 3):

Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external-facing systems and the internal network. 

Layer on the Testing

Financial institutions often ask, “What types of testing should we do?” The best answer is that each type of testing has its place, and institutions should use a variety of testing methods to provide a complete and accurate picture. Just as there should be a “layered approach” to security so that strengths in one control can compensate for weaknesses or failures in another, there should likewise be a layered approach to testing, validation, and auditing of security controls to provide adequate coverage.

But you also have an institution to run. Cost, value, and the return on investment are all factors to consider in your strategy. Wipfli can work with your institution to put together a practical cybersecurity testing and audit plan that provides the coverage you need within a reasonable budget. 

For more information on creating a plan and discussing options, contact Jeff Olejnik at 952.230.6488 or jolejnik@wipfli.com or your Wipfli relationship executive.