The public sector is struggling to break free of an outdated model of penetration testing (pentesting) that requires federal civilian agencies and state, local and higher education institutions alike to contend with approaches that don’t scale and can introduce their own security challenges. But these antiquated methods of security testing can’t be addressed until organizations understand what causes these problems: bandwidth, efficiency and security.
The traditional pentesting paradigm
Many public sector organizations entrust their pentesting to a small team of five to seven people who spend limited time on specific targets and submit a report about their findings. This process can take several weeks — and that doesn’t include how long it takes for security teams to review and respond to the report after it’s been filed.
This approach may seem thorough, but it’s ineffective because it’s not scalable. For any given organization, there are usually thousands of internal and external assets to test, which can force security teams to cut corners and introduce new risks. For instance, irregular testing that happens just once or twice a year leads to immense risk build-up and delayed, reactive responses to threats, rather than proactive risk identification and mitigation.
While there’s no such thing as a silver bullet solution to secure the public sector — or any sector for that matter — continuous pentesting addresses these issues head-on. It can address the inherent build-up of risk that is common when organizations only test once or twice a year. Similar to the continuous integration and continuous delivery (CI/CD) concept in software development, continuous pentesting can constantly buy down that risk, making consistency a huge advantage.
Here’s a breakdown of how continuous pentesting can fill the gaps facing the various subsets of the nation’s public sector.
Federal civilian agencies
Despite efforts to remediate these issues, federal agency leaders have been facing visibility problems for years. This is troublesome because it’s impossible to test and secure their environments without first understanding the breadth and depth of their attack surface.
Federal civilian agencies need an accurate inventory of their assets to develop a testing strategy. From there, CISOs and vulnerability management leaders have the foundation needed to explore options for shrinking and hardening the attack surface. Whether it’s implementing a plan for continuous common vulnerabilities and exposure (CVE) and known exploited vulnerabilities (KEV) scanning, developing an internal red team, or hiring an external vendor to conduct continuous penetration tests to identify and remedy gaps, choosing the right solution starts by understanding the complete attack surface.
Defense and intelligence communities
While defense and intelligence communities also have a large external attack surface, they face different challenges when it comes to penetration testing and vulnerability discovery. One notable recent challenge is COVID-19’s acceleration of the work-from-home trend, which spurred a wave of people building critically important software from home networks that are often woefully insecure.
This is when continuous testing by experts broke onto the scene as a security imperative, with vulnerability disclosures from the general public proving insufficient to address the authenticated nature of many unclassified applications and environments. The Defense Digital Service (DDS) recognized the need for ethical hackers and professional researchers to take a stab at its environment, and coined the “Continuous Bounty” program that’s still running today.
The value of continuous pentesting for the defense and intelligence communities cannot be overstated. A cross-domain pentesting capability enables organizations to securely transfer information between networks, especially in a complex threat landscape, and it encourages real-time reactions to threats posed by recently discovered vulnerabilities.
Software development teams in the defense and intelligence communities can reduce their time to remediation of vulnerabilities from days to hours, which is crucially important when considering the impacts of zero-days like Log4j, MOVEit and the new threat of adversaries’ artificial intelligence-enabled vulnerability hunting.
Any entities in the defense and intelligence communities still relying on traditional penetration testing methods are missing an opportunity to gain visibility and control over their environments and take back the power from adversaries.
State, local and higher education (SLED) organizations
SLED organizations are natural targets due to the lack of federation and funding for their cybersecurity tools and teams. Because each dollar spent on cybersecurity takes a dollar out of services or education for the public, vulnerability management budgets are often neglected or rely on grants.
The challenges these organizations face typically depends on whether they’re operating on-premise or through the cloud. Ongoing scanning of suspected vulnerabilities is a great first step to get visibility into and shrink and harden the attack surface. When it comes to applications that use personally identifiable information (PII) to perform transactions, state and local governments should regularly perform penetration tests to assess the security of their environments and the third-party services they use as plug-ins.
For SLED organizations that have moved to the cloud or are in the process of moving, testing the workloads both pre- and post-migration is a best practice to go beyond basic compliance. From there, taking advantage of native cloud security tooling and continuously testing “crown jewel” applications to ensure vulnerabilities are discovered, patched and utilizing secure coding practices delivers a true understanding of application security.
The bottom line is that vulnerability exploitation in software is becoming the norm and executive system owners can no longer feign a lack of awareness. Cyber defenders may work around the clock to secure applications, networks, endpoints and more, but all it takes is one successful adversary to cause a breach that can have a major impact.
Public sector security leaders using continuous penetration testing as part of their security testing strategy can rest assured knowing that they’re taking a dynamic approach to testing their attack surface. That proactive mindset is table stakes when it comes to protecting the public’s PII and safeguarding our national security.
Katie Bowen is vice president and general manager for global public sector and defense at Synack.
Addressing the public sector’s penetration testing problems
While there’s no such thing as a silver bullet solution to secure the public sector, continuous pentesting addresses these issues head-on.
The public sector is struggling to break free of an outdated model of penetration testing (pentesting) that requires federal civilian agencies and state, local and higher education institutions alike to contend with approaches that don’t scale and can introduce their own security challenges. But these antiquated methods of security testing can’t be addressed until organizations understand what causes these problems: bandwidth, efficiency and security.
The traditional pentesting paradigm
Many public sector organizations entrust their pentesting to a small team of five to seven people who spend limited time on specific targets and submit a report about their findings. This process can take several weeks — and that doesn’t include how long it takes for security teams to review and respond to the report after it’s been filed.
This approach may seem thorough, but it’s ineffective because it’s not scalable. For any given organization, there are usually thousands of internal and external assets to test, which can force security teams to cut corners and introduce new risks. For instance, irregular testing that happens just once or twice a year leads to immense risk build-up and delayed, reactive responses to threats, rather than proactive risk identification and mitigation.
While there’s no such thing as a silver bullet solution to secure the public sector — or any sector for that matter — continuous pentesting addresses these issues head-on. It can address the inherent build-up of risk that is common when organizations only test once or twice a year. Similar to the continuous integration and continuous delivery (CI/CD) concept in software development, continuous pentesting can constantly buy down that risk, making consistency a huge advantage.
Find out how to best drive desired outcomes using artificial intelligence and automation in our new ebook, sponsored by Maximus. Download today!
Here’s a breakdown of how continuous pentesting can fill the gaps facing the various subsets of the nation’s public sector.
Federal civilian agencies
Despite efforts to remediate these issues, federal agency leaders have been facing visibility problems for years. This is troublesome because it’s impossible to test and secure their environments without first understanding the breadth and depth of their attack surface.
Federal civilian agencies need an accurate inventory of their assets to develop a testing strategy. From there, CISOs and vulnerability management leaders have the foundation needed to explore options for shrinking and hardening the attack surface. Whether it’s implementing a plan for continuous common vulnerabilities and exposure (CVE) and known exploited vulnerabilities (KEV) scanning, developing an internal red team, or hiring an external vendor to conduct continuous penetration tests to identify and remedy gaps, choosing the right solution starts by understanding the complete attack surface.
Defense and intelligence communities
While defense and intelligence communities also have a large external attack surface, they face different challenges when it comes to penetration testing and vulnerability discovery. One notable recent challenge is COVID-19’s acceleration of the work-from-home trend, which spurred a wave of people building critically important software from home networks that are often woefully insecure.
This is when continuous testing by experts broke onto the scene as a security imperative, with vulnerability disclosures from the general public proving insufficient to address the authenticated nature of many unclassified applications and environments. The Defense Digital Service (DDS) recognized the need for ethical hackers and professional researchers to take a stab at its environment, and coined the “Continuous Bounty” program that’s still running today.
The value of continuous pentesting for the defense and intelligence communities cannot be overstated. A cross-domain pentesting capability enables organizations to securely transfer information between networks, especially in a complex threat landscape, and it encourages real-time reactions to threats posed by recently discovered vulnerabilities.
Software development teams in the defense and intelligence communities can reduce their time to remediation of vulnerabilities from days to hours, which is crucially important when considering the impacts of zero-days like Log4j, MOVEit and the new threat of adversaries’ artificial intelligence-enabled vulnerability hunting.
Any entities in the defense and intelligence communities still relying on traditional penetration testing methods are missing an opportunity to gain visibility and control over their environments and take back the power from adversaries.
Read more: Commentary
State, local and higher education (SLED) organizations
SLED organizations are natural targets due to the lack of federation and funding for their cybersecurity tools and teams. Because each dollar spent on cybersecurity takes a dollar out of services or education for the public, vulnerability management budgets are often neglected or rely on grants.
The challenges these organizations face typically depends on whether they’re operating on-premise or through the cloud. Ongoing scanning of suspected vulnerabilities is a great first step to get visibility into and shrink and harden the attack surface. When it comes to applications that use personally identifiable information (PII) to perform transactions, state and local governments should regularly perform penetration tests to assess the security of their environments and the third-party services they use as plug-ins.
For SLED organizations that have moved to the cloud or are in the process of moving, testing the workloads both pre- and post-migration is a best practice to go beyond basic compliance. From there, taking advantage of native cloud security tooling and continuously testing “crown jewel” applications to ensure vulnerabilities are discovered, patched and utilizing secure coding practices delivers a true understanding of application security.
The bottom line is that vulnerability exploitation in software is becoming the norm and executive system owners can no longer feign a lack of awareness. Cyber defenders may work around the clock to secure applications, networks, endpoints and more, but all it takes is one successful adversary to cause a breach that can have a major impact.
Public sector security leaders using continuous penetration testing as part of their security testing strategy can rest assured knowing that they’re taking a dynamic approach to testing their attack surface. That proactive mindset is table stakes when it comes to protecting the public’s PII and safeguarding our national security.
Katie Bowen is vice president and general manager for global public sector and defense at Synack.
Sign up for our daily newsletter so you never miss a beat on all things federal
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Addressing the public sector’s penetration testing problems
New approach to penetration testing boosts software quality, security
The contractor cybersecurity locomotive picks up steam