Poking and prodding your own network defenses helps reveal security gaps, so you can close them — before cyber threat actors discover and exploit them. This is the primary benefit of penetration testing and why it is a key step that a growing number of companies and government organizations now take to mitigate cyber risk.

This cybersecurity process is so important that the U.S. Congress recently introduced H.R.8403 — the Proactive Cyber Initiatives Act of 2022 — to mandate penetration testing for moderate to high-risk government systems, and to require federal agencies to report on proactive cybersecurity methods.

The end-goal of penetration testing (aka, “pen” testing) is to develop a more proactive approach, allowing a “red team” to find gaps before an attacker does. However, there are multiple questions to ask as you approach these engagements.

We’ll examine these important considerations in detail during this two-part blog series.

Some gaps uncovered during penetration tests may be both simple and crucial — such as finding software that has been “end-of-lifed” and is no longer supported by the vendor. Working with our clients, we often discover software that is vulnerable to attacks happening in the wild because it is missing the latest security patch or hotfix.

This type of security oversight is regularly uncovered in a pen test, and it represents a critical finding since it presents hackers with a wider range of potential attack vectors. Think of it like this: Your front door might have a deadbolt, but if that deadbolt is rusty or the faceplate is missing, a thief will have a much easier time getting into your home.

Other findings discovered during a penetration test vary in severity. However, each one potentially gives an attacker all they need — which is a single weakness to exploit.

Does your webpage limit the rate of login attempts? If not, hackers can pummel your site as many times as they wish to find the one security gap they need.

Is Webview Debugging enabled?  If so, this could allow a threat actor to obtain sensitive information or take over an affected user’s settings.

Does the application logout invalidate/revoke the session token?  If not, a hacker could re-establish the session when the authorized user walks away from the computer after logging off.

These things are not an exhaustive list but rather form the start of what penetration testing can uncover in your environment to help you secure your government agency or organization.

Proactive penetration testing provides the strongest approach to maintaining a secure environment. While this can start at the software layer — say an AI-driven capability to catch malicious files before they execute — it also should include the appropriate people and processes to test, and who is in the best position to remediate any gaps they find in the security posture.

Regular testing will allow your organization to stay ahead of threats. It’s almost guaranteed that once you correct the gaps from one cycle of penetration testing, you’ll find other — and often different — vulnerabilities. The more you test, the more opportunity you’ll have to find and fix those gaps that will otherwise haunt you, should an attacker find them before you do.

Many organizations find that penetration testing is a great place to start and, as the tests become an integrated part of their security program, they often advance to breach simulations. While penetration tests find gaps in the “walls” of your environment, breach simulations go deeper to identify paths that a hacker might use once inside your defenses, to ultimately get to corporate or government agency data. After all, threat actors really want the same thing you do: your data.

Failure to properly pen test your environment leaves you more vulnerable than you need to be, and it can also impact your insurability and cyber insurance coverage. BlackBerry research recently discovered that more than one-third of organizations are denied cyber insurance because they lack security controls that insurers require, like endpoint detection and response (EDR). While EDR solutions such as CylanceOPTICS® from BlackBerry can be critical in the event of an attack, and endpoint protection platform (EPP) products such as CylancePROTECT® can do a great deal to prevent attacks from occurring in the first place, they are not substitutes for a rigorous pen testing program.

Because of mounting ransomware coverage losses, cyber insurance companies are taking a more stringent look at payouts, and adding exclusions to their policies. Some of these exclusions are based on who the threat actor is, and on the actions a company has taken to prepare itself to defend, identify, and contain cyberattacks. Penetration testing, breach simulation, “purple team” testing, tabletop exercises, and periodic assessments of a company’s security program, represent a few of the ways that companies can ensure they get the highest insurance payout if they are attacked, and at the same time, minimize their chances of being attacked successfully in the first place.

Organizations face many challenges that sometimes make penetration testing difficult to execute. Here are six common ones:

In summary, penetration testing greatly improves your security posture by revealing security gaps you can close — before attackers find and exploit them. It is one of the best ways to mitigate the risk of a successful cyberattack against your organization.

In Part 2 of our series, we’ll look at how to approach your red team efforts. This includes looking at what you should test, and how you should test, including understanding the differences between automated pen-testing and human-driven tests.

Richard Harsell is Senior Services Account Manager, Federal, at BlackBerry.

News, news analysis, and commentary on the latest trends in cybersecurity technology.

Applications are increasingly distributed, expanding companies’ cloud attack surfaces and requiring regular testing to find and fix vulnerabilities — and avoid the risk of a growing sprawl of services.

With enterprise applications defaulting to cloud infrastructure, application security testing increasingly resembles penetration testing across an distributed attack surface area of the application — a similarity that is opening new markets for penetration-testing-as-a-service (PTaaS).

Rather than focusing on the edges of the network, PTaaS providers are focusing on cloud applications, which typically have three vectors of vulnerability: the application itself, the interconnections between applications, and the way the application changes over time. Accelerated development and events such as mergers and acquisitions tend to expand the attack surface area along all three vectors, but pen testing aims to keep pace with the changes.

Organizations need to lock down their cloud applications because attackers are already looking for remotely exploitable security flaws; the average firm has 11,000 exploitable security exposures in any given month, says Kelly Albrink, associate vice president of consulting at Bishop Fox, an offensive security firm.

“Organizations are going up against attackers with unlimited time [and] large amounts of resources, and they’re going for the lowest-hanging fruit first,” she says. “As these applications are getting more complex, and as the integrations are getting more complex, that just expands the opportunities for attackers and ways that they can get into an app or then, ultimately, any of the systems it’s connected to.”

Today Bishop Fox announced its Cosmos Application Penetration Testing (CAPT) service that combines pen testing with on-demand assessment and analysis services.

Cloud deployment has quickly become the standard for enterprise applications. By 2025, 95% of new digital workloads will be deployed to cloud-native platforms, up from 30% in 2021, according to business intelligence firm Gartner. Many of those workloads — up to 70% by 2025 — will not be traditional applications but low-code or no-code applications deployed through cloud services, Gartner stated.

The cloud and the applications deployed to cloud infrastructure are so intertwined that pen testers need to account for not only the security of the app, but the cloud platform and the application’s cloud configuration, says Caroline Wong, chief strategy officer at Cobalt.io, a PTaaS firm.

“Access control and configuration are fundamentally different between network and cloud, and these characteristics must be tested intentionally,” Wong says. “Cloud adoption leads to rapid increases in both the number of applications in a company’s software portfolio, as well as the frequency of changes for each of those applications.”

The largest share of security issues discovered during penetration tests — nearly 40% — are server security misconfigurations, such as a lack of security headers and insecure SSL and TLS cipher libraries, according to Cobalt’s “The State of Pentesting 2023” report.

From a vulnerability standpoint, Cobalt found that stored cross-site scripting (XSS), outdated software versions, and insecure director object references (IDOR) are the most common vulnerabilities. Nearly all (94%) of the stored XSS vulnerabilities and 85% of IDOR vulnerabilities are medium severity or higher.

Yet over time, PTaaS customers see fewer medium, high, and critical flaws as a share of all the discovered issues, as the most serious issues are detected and fixed, the report stated.

The line between dynamic application security testing (DAST) and PTaaS has essentially disappeared as applications are deployed to the cloud. In many ways, the definition of an application has changed, says Bishop Fox’s Albrink. One of the firm’s clients asked the firm to test 30 applications, but when they walked through the scope of the pen test, they determined it was a single application with 30 different microservices, each managed by a different team in the company.

“We really recommend typically to do a holistic approach, so everything that an end user would be able to see and interact with is part of the app,” she says. “And that might include API endpoints, middleware, a firewall, [and] dozens of other systems on the back end, but they’re all being presented through kind of one user experience.”

Time is the final axis along which applications change. Security debt is very real and, especially in an agile development group, frequent security and penetration is necessary, says Cobalt’s Wong.

“For companies pushing code weekly or even daily, it’s likely not enough to keep up with the speed of change and likelihood of introducing new security vulnerabilities,” she says. “Every organization is going to have a limited budget, and we see these changes resulting in a shift of how security spend is allocated across offensive and defensive security controls.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy

Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks

Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

Argus expands its North American presence, leveraging its world-class automotive cyber security expertise and penetration testing capabilities to cater for local OEMs and Tier 1 suppliers.

DETROIT, April 3, 2024 /PRNewswire/ — Argus Cyber Security, a world leader in automotive cyber security, today announced the opening of its new penetration testing lab in Detroit, Michigan. This innovative test center enables Argus to meet the growing demand from North American OEMs and Tier 1 suppliers for local cyber security penetration testing services.

As today’s vehicles become ever more connected and software-dependent, vehicle manufacturers are taking steps to meet the regional regulation requirements and ensure their products are protected against cyber threats. Penetration testing is a common technique for identifying vulnerabilities in software and hardware throughout the development lifecycle. In this context, US vehicle manufacturers conduct penetration testing to validate and verify that their vehicles and components meet automotive cyber security regulations and standards, such ISO 21434 and UNR 155.

Argus’ new penetration testing lab provides the resources, knowledge and testing infrastructure required to test hardware and software components. These local capabilities will help OEMs and Tier 1s meet tight production timelines and avoid time-consuming and costly logistics. Already up and running, the new lab leverages the proven methods and processes used in Argus’ existing penetration testing labs in Europe, Japan and Korea.

Argus offers a comprehensive and modular automotive penetration testing service comprising several packages, including ECU-Level penetration testing, Vehicle-Level penetration testing, code review and automated fuzz testing packages.

At the component level, the penetration testing service detects and reports vulnerabilities in an ECU’s interfaces, communications channels, and security measures. Argus’ fuzz testing tool enables automated and scalable penetration testing of ECUs and other systems, helping Argus researchers find zero-day vulnerabilities and configuration errors quickly and efficiently.

“To meet the rising need for automotive cyber security solutions among OEMs and Tier 1 suppliers, Argus is expanding its service operations in the North American market,” said Yehuda Kaufman, VP of Consulting & Research at Argus. “Our new penetration testing lab in Detroit will make it easier for local companies to take advantage of our extensive cyber security knowledge and top-notch testing capabilities, while also helping them accelerate project timelines.”

Argus, a global leader in automotive cyber security, provides in-vehicle and cloud-based cyber security technologies for automakers and suppliers, to ensure that vehicle components, networks and fleets are secured and compliant throughout their life cycle.

Argus’ innovative methods and solutions are based on decades of cyber security and automotive research and have culminated in over 100 granted and pending patents.

Founded in 2014, Argus is headquartered in Israel, with offices in USA, Germany, France, Japan, and Korea.

Rachel Pekin                         Vice President Marketing      E-Mail: [email protected]

Argus Cyber Security, a world leader in automotive cyber security, today announced that it has completed a vehicle-level penetration testing project…

Argus Cyber Security, a world leader in automotive cyber security, today announced that it has delivered multiple automotive cyber security products…

Here are the top state and local IT leaders, podcasters and personalities to follow to stay up to date on the latest technology trends.

Adam Stone writes on technology trends from Annapolis, Md., with a focus on government IT, military and first-responder technologies.

Adam Stone writes on technology trends from Annapolis, Md., with a focus on government IT, military and first-responder technologies.

For state and local governments that accept credit card payments — and that’s virtually all of them — there is a deadline looming. By March 31, 2024, any organization that takes credit cards will need to comply with the latest version of the Payment Card Industry Data Security Standard, or PCI DSS 4.0.

Under version 4.0, it isn’t enough just to implement the right controls. Within the new standard, “there are requirements to make sure that you’re regularly monitoring them and testing them,” says Mark Manglicmot, senior vice president of security services at cybersecurity company Arctic Wolf Networks.

Routine penetration testing can ensure that government agencies are meeting their obligations under PCI DSS. “The role of penetration testing is to help detect network and application vulnerabilities operating inside the network and to resolve these vulnerabilities,” says Ciske van Oosten, head of global business intelligence at Verizon and lead author of the Verizon 2023 Payment Security Report. “It’s important to test a network regularly.”

Click the banner below to learn more about cybersecurity program strategy and operations.

In support of secure credit card transactions, “PCI is an industry standard that basically regulates how credit cards are processed and sets forth a standard set of security requirements designed to ensure the protection of sensitive data associated with credit card payments,” says Alan Shark, executive director at the Public Technology Institute, a division of Fusion Learning Partners.

“This becomes particularly important to state and local governments, because government has far more sensitive data than perhaps any business and also accepts credit card payments,” he says. In government, “credit card payments through websites and through other transactions have become quite commonplace. How are we keeping up with it? What are the questions that local governments should be asking?”

By asking the right questions and implementing appropriate controls according to a defined standard, state and local agencies can go a long way toward improving security.

“If you’re compliant with PCI, it really does reduce the likelihood of data breaches and the reputational damage associated with that,” says Kayne McGladrey, IEEE Senior Member and field CISO at compliance management platform Hyperproof.

The 12 requirements under PCI DSS cover a wide range of technologies, according to Lauren Holloway, director of data security standards at the PCI Security Standards Council. The 12 items require IT teams to install and maintain network security controls, apply secure configurations to all system components and protect stored account data.

PCI DSS looks at the data aspects of credit card handling, an urgent need in the current technology landscape.

“So much data is stored digitally these days. PCI DSS is a recognition that we do have a digital economy at this point and that it’s essential to have controls at the digital level,” McGladrey says.

Government organizations need to protect systems and networks from malicious software; develop and maintain secure systems and software; and identify users and authenticate access to system components, among other things. And, they need to “test security of systems and networks regularly,” Holloway says.

The 12 key requirements include 78 base requirements, “as well as over 400 test procedures,” McGladrey says. In particular, PCI DSS testing includes requirements governing penetration testing, as part of an emerging emphasis on long-term security.

“In PCI 4.0, there is a new focus on long-term security processes. PCI used to be perceived as a one-and-done; you’d do it annually. This is much more about maintaining controls during the year,” McGladrey says.

Within that paradigm, PCI penetration testing evaluates the security of the cardholder data environment, as well as networks or systems connected to that environment. Through both automated and manual processes, “testers are looking for hidden vulnerabilities,” Shark says.

McGladrey adds that PCI DSS 4.0 builds upon the best practices established in PCI DSS 3.2.1.

“While internal resources may conduct penetration tests to discover exploitable vulnerabilities and security weaknesses, most organizations will likely hire a qualified penetration tester” to meet the 4.0 requirements, he says. “In both scenarios, organizations must outline, document and put into practice a penetration testing methodology that encompasses both internal and external testing across the complete cardholder data environment, which may also extend to APIs.”

According to the PCI Security Standards Council, the goals of penetration testing are “to determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or cardholder data,” and to confirm “that the applicable controls required by PCI DSS — such as scope, vulnerability management, methodology, and segmentation — are in place.”

READ MORE: Why states should appoint chief privacy officers and give them authority.

The council identifies three types of penetration tests: black-box, white-box and grey-box.

In a black-box assessment, the agency would provide no information before the testing starts. In a white-box assessment, “the entity may provide the penetration tester with full and complete details of the network and applications,” according to the Council. “For grey-box assessments, the entity may provide partial details of the target systems.”

PCI DSS penetration tests typically are either white-box or grey-box assessments. “These types of assessments yield more accurate results and provide a more comprehensive test of the security posture of the environment than a pure black-box assessment,” the Council notes.

Whichever form of assessment one chooses, “PCI penetration testing should be performed annually or when a major change is made in the infrastructure,” PTI’s Shark says.

“The scope of the test should include all systems, networks and applications that are part of or connected to the credit card processing entity. All tests and results or findings — including vulnerabilities, data exposure and system compromises — must be reported,” he says.

Read more about how red teaming can help agencies uncover their vulnerabilities.

Encryption encodes human-readable text, “rendering it unreadable by anybody who should not have access to it,” says Arctic Wolf’s Manglicmot. “You want to do that because, if a hack occurs and those other controls break down, the hacker will only get the encoded version of the data and not a human-readable form of it.”

“The data relevant to payment card information needs to be encrypted,” Manglicmot says. “If they store any of that card data, they need to encrypt it while it’s in storage. When payment card data is being transmitted to the payment card company, they absolutely have to make sure that it’s encrypted in transit, and they should be making sure that the vendors and partners they use for that have encryption that meets PCI controls.”

These encryption requirements in turn have an impact on the ways in which penetration testing is conducted.

If a tester stores cardholder data obtained during the assessment, for example, “the data must be stored by the tester following the guidelines of the PCI DSS for the storage of account data,” meaning it either must be encrypted using strong cryptography, truncated or not stored at all, according to the PCI Security Standards Council.

Overall, encryption “needs to be in anything that stores or transmits payment card information,” Manglicmot says. “This includes web browsers and storage, if you’re storing it on any sort of hard drive or in the cloud. If you have a vendor that is processing that credit information, you need to make sure that you have a reputable one that is in compliance with PCI standards.”

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

NASCIO 2024 Midyear: Security Officials Prioritize Third-Party Risk Management

NASCIO 2024 Midyear: Speedy GenAI Adoption Sparks Data Quality Concerns

Copyright © 2024 CDW LLC 200 N. Milwaukee Avenue, Vernon Hills, IL 60061Do Not Sell My Personal Information

Expert-driven offensive security platform startup Sprocket Security Inc. today announced that it has raised $8 million in new funding to accelerate platform developments and expand sales and marketing initiatives.

Founded in 2017, Sprocket Security offers continuous penetration testing services that detect changes in an organization’s network, with human-driven testing to identify security risks. The company’s services include attack surface management and red and purple team exercises.

At its core, Sprocket enables security teams to validate their security posture continuously, understand their most complex risks and mitigate threat exposure with support from an expert team. Security teams use the service to monitor attack surfaces with advanced change detection. Upon changes being detected, testers and systems perform security testing and security teams are alerted and assisted in remediation efforts through the Sprocket Platform.

Sprocket’s continuous penetration testing also includes the ability to engage with testers using chat and status management. Users can generate report requests with a click of a button and monitor continuous testing activity across their attack surface.

Tracking includes the ability to monitor exposed hosts and services across a perimeter, revealing gaps in defenses that could be targeted by attackers. Users can audit their domains, subdomains and DNS infrastructure to reveal misconfigured or stale records that could make an organization vulnerable to common attacks like subdomain takeovers.

The company also offers attack narratives, allowing users to browse attack paths expert testers are taking and any resulting findings, allowing them to identify patterns in perimeter weaknesses. Users can validate their posture against real-world threat actors using expert testers targeting their organization with modern tactics, techniques and procedures.

Sprocket says its platform differs from existing automatic solutions through a hybrid approach. “We believe in the hybrid approach of human-driven testing supported by automation… it’s the only way to ensure comprehensive and up-to-date testing,” founder and Chief Executive Casey Cammilleri said. “This continuous approach is being increasingly understood and appreciated by our customers who have witnessed that fully automated solutions can’t fulfill all their pentesting needs.”

The Series A was led by Blueprint Equity LLC, with Capital Midwest Fund also participating. Blueprint Equity’s Vice President John Bonhard is joining Sprocket’s board. “Within an ever-changing cybersecurity landscape, the only constant is the presence of threat actors,” Bonhard said. “Constant vigilance, or penetration testing, is critical in understanding how and the extent to which vulnerabilities can be exploited by sophisticated hacker techniques.”

Ahead of RSA, Menlo Security announces partnership with Google Cloud for better browser security

Web3 newsletter Paragraph raises $5M and takes over blogging platform Mirror

Microsoft marches on in Asia with $2.2B AI and cloud investment in Malaysia

Apple’s stock rises on record $110B buyback plan as earnings beat expectations

Ahead of RSA, Menlo Security announces partnership with Google Cloud for better browser security

Web3 newsletter Paragraph raises $5M and takes over blogging platform Mirror

Microsoft marches on in Asia with $2.2B AI and cloud investment in Malaysia

Apple’s stock rises on record $110B buyback plan as earnings beat expectations

Cybersecurity is a highly promising career choice today, with a growing demand for information security professionals. This industry offers many opportunities, especially in various specialized cybersecurity roles, including that of ethical hackers and pen testers, that organizations actively seek.

With the significance of pen testing gaining prominence, choosing this field or making a switch can be a rewarding career move.

Penetration testing is the process of evaluating the security of a network, a computer system (like a public-facing server), or an application by simulating potential attacks from hackers. Also known as pen testing, penetration testing helps identify vulnerabilities in target systems before attackers can exploit them.

More and more companies are adopting penetration testing as part of their cybersecurity arsenal. It is one of the best ways to protect sensitive data and other assets. When a vulnerability is exploited, it can lead to companies suffering financial loss and a damaged reputation.

Penetration testers help prevent those dire outcomes and keep company operations running smoothly. Moreover, since every new application, service, or system can potentially have unknown weaknesses, penetration testers quickly become highly valued information security workers.

Have you ever wondered, “What does a penetration tester do?” Penetration testers attempt to “penetrate” systems by simulating real-world attacks through a multi-step process. While the details vary depending on the system or application being tested, most pen testing is the same at a high level.

They start by mapping out the scope of a penetration test. The goal could be to test a company’s public-facing systems, a specific subset of those systems, or even internal systems. A reconnaissance phase follows, in which the penetration tester collects publicly available information. For example, employee names and email addresses might provide clues to a company’s format for account usernames.

Next, various automated scanning tools identify known weaknesses in the target systems. The penetration tester will follow this up with manual attempts at gaining access. If a vulnerability is found, the tester will attempt to achieve a higher level of access. This is known as privilege escalation, which helps quantify the severity of a weakness. Vulnerabilities that allow full administrative access are the riskiest, as a hacker would have unlimited access to a company’s data.

After testing, the pen tester documents their findings and makes security recommendations. The process will repeat regularly or after systems are updated.

Penetration testing is one of the most in-demand security skills. If you’d like to go down the penetration tester career path, it’s a good time. This is especially true if you work in an entry-level cybersecurity position.

Pen testers will be required for the foreseeable future. Every day, companies of all sizes undergo digital transformation, designing their business processes around electronic systems. Many more companies are moving into the cloud. That means sensitive enterprise data will be hosted on public-facing systems. More than ever, penetration testing is needed to find vulnerabilities before internet attackers exploit them.

Even if you are not looking for a career in penetration testing, it is still a valuable skill. Many types of cybersecurity jobs include penetration testing activities.

A network security analyst, for example, is primarily responsible for monitoring and analyzing network traffic. If they find suspicious activity in the logs, they might conduct penetration tests to assess the state of the network. This helps address previously unknown vulnerabilities before exploitation (QA Source, 2022).

IT workers in the application development space might also need pen testing skills. In particular, DevSecOps professionals need to test application security regularly. Application security testers focus on identifying vulnerabilities specific to web and mobile apps. Pen testing is also a normal part of their routines, and it is common for former application developers to move into a pen testing career, thanks to their knowledge of app vulnerabilities (Guard Rails, 2023).

Cybersecurity managers should be familiar with how to do penetration testing. Even though their primary function is to oversee security teams, penetration testing experience helps them lead effectively. Having pen testing experience shows the rest of the team that they understand real-world security issues and fixes.

Several paths can lead to a career in penetration testing. Having a degree in information security or related disciplines is a great start. However, there are other ways into the role.

Networking knowledge and experience often lead to a pen-testing career. As previously mentioned, many cybersecurity roles include some form of penetration testing. IT managers commonly ask their top team members to take on the task, especially if they already work in a network or security role.

You could apply for a penetration testing job, even without specific experience. However, several training courses and certification tracks can be advantageous. Gaining experience in a class with practical labs will better prepare you for the penetration tester career path.

Part of the reason there are so many avenues to start a career in penetration testing is that the position is in demand. IT departments in nearly all industries are looking to add to their pen-testing staff (Cyberseek, 2022).

The U.S. Bureau of Labor Statistics estimates that the demand for information security analysts (including penetration testers) will grow 35% by 2031. (U.S. Bureau of Labor Statistics, 2023). The typical penetration tester’s salary is very competitive, with the average compensation at $94,000. Most penetration tester’s salary range between $86,000 and $107,000 (Salary.com, 2023)

Finding the right certification course that equips you with real-world skills and knowledge is important. EC-Council’s Certified Penetration Testing Professional (C|PENT) course teaches you to take your skills to the next level.

The C|PENT program teaches you how to perform effective penetration testing at an enterprise level. Instead of focusing strictly on book learning and theoretical concepts, the C|PENT gives you real-world experience in a live practice range. You will learn all the latest penetration testing techniques for Internet of Things (IoT) devices, cloud apps, networks, firewalls, and others.

More advanced topics include bypassing a filtered network, penetrating operational technology (OT), accessing hidden networks with pivoting, evading defense mechanisms, and much more. EC-Council’s course includes dynamic ranges for practical, hands-on experience that translates into the real world of penetration testing. As technology and targets continue to evolve, so does the training on the C|PENT course.

If you are interested, review the course outline from the EC-Council to learn more about the program and C|PENT certification. An exciting career awaits you.

1. Cyberseek. (2022). Cybersecurity supply/demand heat map. https://www.cyberseek.org/heatmap.html

2. GuardRails. (2023). From penetration testing to appsec/devopssec: A guide to staying ahead of the curve. https://www.guardrails.io/blog/from-penetration-testing-to-appsec-devsecops-a-guide-to-staying-ahead-of-the-curve/

3. QA Source. (2022). Network penetration testing. https://blog.qasource.com/es/network-penetration-testing

4. Salary.com. (2023). Pen tester salary. https://www.salary.com/research/salary/recruiting/pen-tester-salary

5. U.S. Bureau of Labor Statistics. (2023). Occupational outlook handbook: Information security analysts. https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm

Leaman Crews is a former newspaper reporter, publisher, and editor with over 25 years of professional writing experience. He is also a former IT director specializing in writing about tech in an enjoyable way.

As this article shows, the comparison of CEH to Pentest+ is misleading. In a nutshell, you would not compare a cake to flour, as it makes no sense to compare an entire dish to a single ingredient. Ethical hacking on its own is NOT pen-testing.

Penetration testing focuses on the security of the specific area defined for testing. Ethical hacking is a comprehensive term and penetration testing is one of the functions of the ethical hacker.

Perhaps due to the popularity of its name, CEH has been incorrectly perceived to be a penetration testing course. It is not. EC-Council CEH course is a catalyst that can lead a learner to a variety of jobs in information security and not just penetration testing.

In many organizations, ethical hackers are not even involved in penetration testing teams or processes. Across many government organizations, ethical hacking is used to build the foundations of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) Team. While these teams are highly offensive and very specialized, they will never be part of a penetration test. Their tactical cyber skills are highly coveted and take years to develop. In other organizations, Ethical Hackers are used for a wide variety of job functions to augment networks and methods by which tools and protocols communicate. Some are technicians for Intrusion Prevention Teams, SOC II Incident Handlers, Threat Hunters, etc. Ethical hacking indeed has a part in pen-testing, but that is just a piece. Ethical hacking on its own has grown into a very exciting dynamic profession over the past 15 years and truly stands on its own.

If you are looking to compare EC-Council’s pen-testing program to another, you should compare it to ECSA instead.

As the IS/IA profession matures, the core functions of the Information Security professional mature as well. Many companies have dedicated teams to handle the various aspects of cybersecurity, from Network and Sys Admins to Audit teams, SOC teams, Threat analysts, Incident Response and Handling, etc. Due to the scope required to protect systems and their critical role in organizational success, many companies outsource certain elements of their cybersecurity programs to third-party service providers with the proper expertise.

Ethical hacking is a practice. The skills employed by an ethical hacker allow them to practice a continuous assessment cycle of an organization’s security posture by employing the same tools, methods, and techniques of a cybercriminal (malicious hacker). Ethical hackers often have deep knowledge of the organization and its vulnerabilities, as well as its vulnerability management approach. Understanding possible weaknesses, they then utilize the same methods and tools a malicious hacker would use to exploit the weaknesses. This process allows organizations to test systems, vulnerabilities, security measures, policies, etc. to help identify risk, setup countermeasures, deploy defensive resolutions to problems, etc. The very nature of hacking is to use a system in ways it was not intended to be used to produce an outcome not expected by design.

Penetration testing is a coordinated assessment process, usually performed by a team generally contracted. The organization defines the scope of what is to be tested and reported. The test involves a variety of items, but for the simplicity of explanation, an individual or team under contract would approach a system, assess the entire system for vulnerabilities or weaknesses through a predefined methodological approach, many times, those vulnerabilities are exploited in a controlled manner to identify the risk to the organization. From this point, a pen-tester would prepare a comprehensive report that includes an executive summary, vulnerability classification documents describing the issues in the system tested along with exploitation records showing what threat those vulnerabilities, if exploited, pose to the organization. Paired with an understanding of the business value of the system, exploitation results can help establish a risk score or matrix. With the executive summary, vulnerability classification, and exploitation results, recommended remediation strategies can be documented and shared in detail with key organization stakeholders in the form of a pen-test report.

Penetration tests are valuable for a variety of reasons. The most common are security maturity and risk management. This is a proactive approach many organizations take to identify their own weaknesses before cybercriminals do. Most commonly, however, penetration tests are used for compliance auditing. One example, for instance, is: with a publicly-traded company that is subject to SEC filing, the quarterly and annual financials reported to the SEC must be accompanied by an independent security audit validating the integrity of that companies’ systems. That independent security audit is a penetration test report.

As established above, penetration testing, commonly referred to as pen-testing, is a coordinated, contracted, well-defined process that employs a variety of elements from scope identification and agreement, vulnerability assessment and classification, exploitation, documentation, report writing, risk analysis and categorization, and communication. The baseline skills for each of the aforementioned items must be considered to develop these skills in an individual or a team. EC-Council has been in the business of building penetration testing capabilities for companies all over the globe for the last 15 years.

Many consulting firms consider their pen-testing practices as proprietary and offer independent third-party penetration testing as a service in a common consulting engagement. Companies who decide to build this capability in house employ pen-testing as a continuous process for IT/IS Security Management to reduce risk and maintain a superior position with their cybersecurity programs. Once capable teams are assembled, companies can reduce their reliance on third-party assessors and increase the frequency of internal testing and consequently their cybersecurity posture and maturity.

Whether you are considering building pen-testing capability for an individual or a team, the baseline practical knowledge requirements are the same. Individuals, or collectively as a team, the pen-test process will require a variety of knowledge, skills, and abilities. At EC-Council, we have found many companies are going through the process of trying to transition from having an IT team that supports the business and outsources nearly all elements of cybersecurity, or they some fundamental cyber practice and want to develop and mature their cybersecurity capabilities in-house. Some organizations are looking to develop the practice to provide cybersecurity consulting services;

some have mandated these skills be validated and developed as parts of their team, such is the case with the United States Department of Defense and all contractors that work with them. DoD provides the skills requirement guidance under the DoD Directive 8140 and the new CMMC review processes.

Let’s have a look at how EC-Council develops skills that penetration testers need. We break the core skills down into our Penetration Testing Track focusing on three primary skill areas: Secure Operations, Ethical Hacking, and Security Analysis.

EC-Council’s Certified Network Defender is really our entry point into the tactical roles for cyber professionals. CND covers the basis of cybersecurity defense. This program covers the operating environment for cybersecurity, covering how information systems function, what role technology plays in these systems and how hackers exploit these systems. Securely provisioning, operating, and maintaining IT systems is paramount to the success of any program. When weaknesses are found in the pen-testing process, it is often this line of defense that is tasked with deploying countermeasures and monitoring systems to ensure risk is remediated.

The second core skill consideration is ethical hacking, covered by our Certified Ethical Hacker program, individuals learn the tricks of the trade in hacking. The word ‘ethical’ in ethical hacking indicates hacking practices; many of the same divisive techniques used by malicious cybercriminals are used intentionally by paid professionals to test systems in the same way hackers exploit them. Unearthing weaknesses and exploiting them with the intention to measure and remediate. Ethical hacking is offensive by nature, professionals proactively seek and hack into their own organization (or organizations they are under contract with) with the sole purpose of identifying, qualifying, measuring, and documenting vulnerabilities and risk the company or organization has. Ethical hacking as a practice often focuses on a single system or vulnerability. Commonly referred to as Red Teaming, Cybersecurity teams will intentionally exploit a weakness, such as brute-forcing a password, performing SQL injection on a web form to break into a web server or database server, exploit a zero-day in an unpatched operating system to establish command-line access to a machine or environment.Simply put, Ethical Hackers are the professionals you call when you need to break in or want to see how hackers may break into your own organization. They are professionals at attacking systems from a variety of different angles to gain access and maintain it.

The third core skill consideration in establishing pen-testing capability is security analysis. EC-Council’s ECSA or Certified Security Analyst program dives deep into the penetration testing and security analysis process. In the previous two focus areas, network defense and ethical hacking, we established secure network provisioning and operation, as well as the skills needed to break in through the 5 phases of ethical hacking. With ECSA, those skills all get tied together. ECSA teaches how to take the attack vectors, vulnerability classification systems, contracting process, and report writing to summate everything into actionable intelligence. This is the report building process of penetration testing. ECSA candidates will apply the skills learned in CEH to uncover vulnerabilities, exploit them, document and classify them, and roll them up into a robust, comprehensive pen-test report. Together, the ECSA will focus on the entire organization’s security posture developing analysis methods to uncover problems across the entire org, then employ the skills of ethical hacking to dive into each vulnerability found and attack the target systems known as exploitation to derive a picture of risk. The comprehensive reporting process sets an effective communication standard to demystify complex cybersecurity challenges into a risk matrix that key stakeholders in the organization (non-cybersecurity professionals) can understand and act on for the benefit of the organization.

A standing discussion in the training and certification world is the role of practicals or performance-based assessment. A key example of this is a driving test. Students are trained on the rules of the road, given a written assessment to ensure they understand the rules, then taken out with a driving instructor to demonstrate they can physically operate the vehicle and follow the rules learned in their training. Once the student may ace the written exam, then plow right into the parking cones when trying to park the vehicle safely. The only way to overcome this is to spend time in the car, learn how the vehicle turns, accelerates, and stops. Eventually, the student masters operating the vehicle and passes the practical portion.

With more complex topics like cybersecurity, it has historically been difficult to measure skills (the driving experience). Traditionally multiple-choice questions (MCQ’s) have been the most prevalent method of testing knowledge. Certification bodies like EC-Council have added difficulty to MCQ’s by creating performance-based questions requiring students to compute answers or use frameworks to derive answers. Others have incorporated simulations into their exams, adding software to provide some performance measures in a controlled setting. At EC-Council, we didn’t find any of these methods effective enough to test skills. They do a great job of assessing knowledge, and there is a place for that, but for those looking to truly measure skills, we have to turn to a more complex method of assessment using real cyber environments, not simulators or interactive animations. To this end, EC-Council has developed what we call Master Certification Tracks. Master tracks combine the MCQ assessment with a comprehensive Practical conducted on an actual Cyber Range. The range provided by EC-Council’s iLabs division provides the student on-demand access to data center environments where virtual machines are used in combination with curated networks, attack files, evidence files, network traffic, vulnerable targets such as websites, operating systems, routers, etc. Students are tasked to deploy the knowledge they gained in class and measured on their MCQ exam in a real datacenter based network. Successfully demonstrating skills unlocks secure files, flags in the system that are submitted into our scoring network, proving the student successfully accomplished the performance tasks being measured. Candidates who hold Master Certifications have successfully demonstrated their knowledge by passing the MCQ, and successfully demonstrated the application of that knowledge, or skills in a measured practical, live cyber range environment. Simply put, they know how to do it, and have proven they can do it.

The next version of the Payment Card Industry Data Security Standard goes into effect over the next 18 months. Because the new standard requires more documentation about methodology and means, penetration testers may find themselves under greater scrutiny from the organizations that hire them.

On the positive side, the updated standard may mean better business for pen testers. PCI DSS 4.0 widens the scope of PCI pen tests, allows pen testers more leeway in how tests are conducted and explicitly requires that follow-up pen tests be conducted to verify that vulnerabilities have been remediated.

The overall framework of penetration testing for PCI DSS compliance stays mostly the same. PCI pen testing should take at least three approaches: an external black-box test, an internal test in which the pen tester tries to get into the cardholder data environment (CDE) from other parts of the network, and an internal test from inside the CDE itself.

Required PCI pen testing is still just once a year for most merchants, and twice yearly for service providers. More frequent pen tests are required if there is a security incident or, as the PCI DSS requirements and testing procedures state, “any significant infrastructure or application upgrade or change.”

But PCI DSS 4.0 introduces stricter requirements to verify the safety of online payment pages and web-based applications. It also adds an explicit requirement that cloud service providers give pen testers access to their clients’ cloud assets. We’ll go over both those details, plus requirements about documentation and retention of records, below.

The most significant innovation in PCI DSS 4.0 is the ability for entities — i.e., any organization that must comply with PCI DSS — to choose “customized approaches” for individual requirements.

Customized approaches may seem like an expansion of the “compensating controls” loophole that previous versions of PCI DSS offered if a company couldn’t quite meet the exact details of a particular requirement for technical reasons.

Compensating controls still exist in PCI DSS 4.0, but customized approaches are optional and offer something much better: A way for organizations, if capable, to meet individual PCI DSS requirements on their own terms rather than by sticking to the prescribed “defined approach.” This is ideal for companies that have complex architectures or that must comply with many different regulatory frameworks.

“Unlike compensating controls, which are used when organizations have a constraint and are unable to meet the requirement as stated, the customized approach is for entities that choose to meet the requirement differently than is stated,” explained Lauren Holloway of the PCI Security Standards Council in an official blog post.

A customized approach gives pen testers more flexibility in how to conduct a pen test on a particular requirement as long as everything about the customized approach, and the test, is documented down to the smallest detail.

Because PCI DSS 4.0 requires that each planned customized approach be subjected to a targeted risk analysis by March 31, 2024, it’s possible that pen testers may be asked to conduct or assist with that process in the next few months.

PCI DSS adds new requirements covering payment pages and web apps. Requirement 6.4.2, which goes into effect in 2025, mandates the use of an automated tool to detect and prevent attacks on web applications.

This replaces an older requirement (6.6 in PCI DSS 3.2.1, 6.4.1 as a one-year temporary option in PCI DSS 4.0) that web apps merely get vulnerability scans. By implication, web apps now need to be actively pen-tested.

According to Clone Systems Senior Security Engineer Tom Nianios, this puts application-program interfaces (APIs) into the scope of PCI compliance pen tests. He suggests using the Open Worldwide Application Security Project (OWASP) Top Ten framework as a guide.

“Before, APIs were kind of the secure thing that no one can compromise,” says Nianios. “But now, APIs are within scope. So you need to test the web-application API, and you need to test the web application, obviously, with the OWASP standard.”

There’s also a brand-new requirement, 6.4.3, mandating all organizations that maintain online payment pages to manage, verify and inventory all scripts running on those pages, and to block unauthorized code or scripts.

Another new requirement (11.6.1) says that entities must implement a “mechanism,” either manual or automated, to check payment-page content and HTTP headers at least weekly for evidence of tampering and unauthorized changes.

Scott Goodwin, a principal in the cybersecurity and privacy advisory at consulting firm PKF O’Connor Davies LLP, suggests that pen testers try to manipulate payment pages directly.

“Penetration testers can use tools like BurpSuite to manipulate requests to payment pages in an attempt to inject malicious code,” he says, “and tools like SQLMap and SMBMap to identify and manipulate data stored in databases and on file shares, respectively.”

PCI DSS 4.0 puts greater emphasis on network segmentation. It clarifies in requirement 11.4.5 (replacing requirement 11.3.4 in PCI DSS 3.2.1) that annual pen tests be conducted “according to the entity’s defined penetration-testing methodology” to, as before, confirm that the segmentation works properly to isolate “all out-of-scope systems” from the CDE. PCI DSS was less stringent in this respect, asking only that pen testers verify segmentation as part of their testing procedures.

The requirement adds a new spin: Segmentation pen-testing must also confirm the isolation of “systems with differing security levels,” an aspect not present in PCI DSS 3.2.1.

That in turn references requirement 2.2.3, which mandates that “primary functions with differing security levels that exist on the same system component are isolated from each other” or “are all secured to the level required by the function with the highest security need.”

This is a bit looser than PCI DSS 3.2.1 requirement 2.2.1, which mandates that primary functions with different security levels should not be on the same server at all. PCI DSS 4.0 retains that as an option but not an absolute requirement, perhaps showing a bit more faith in the ability of segmentation to properly separate components.

Cloud assets, including web apps, and cloud-based virtual servers have always been within the scope of PCI pen tests if they held or touched the CDE. But PCI DSS 4.0 should make it easier to access those assets if they’re on “public” clouds run by the likes of Amazon Web Services, Microsoft Azure or Google Cloud Platform.

The new requirement 11.4.7 states that “multi-tenant service providers” — which includes cloud service providers (CSPs) — must “support their customers for external penetration testing.” The multi-tenant service providers must also either show their clients documentation that a pen test has been done, or let their clients perform their own pen tests.

This was likely added because historically, some CSPs haven’t liked third-party pen testers poking around in their systems. PCI DSS 4.0 removes any doubt that CSP customers have a right to get someone to pen-test their own assets in someone else’s cloud.

There are strings attached, however. Cloud systems are obviously very different from on-prem systems, even those running virtual servers, and learning to navigate them may require additional training.

“[The cloud] is a new set of skills. And it is a new set of methodologies,” says Nianios. “However, it’s easier [to pen test], in my opinion, because all the security controls that they had in place on-site, all these layers that they’ve added over the years, they don’t exist over there [in the cloud].”

Pen-testing a third party’s cloud assets could cause legal trouble, too. Before a pen-testing firm goes into a client’s assets on a third-party public cloud, it needs to thoroughly understand the specific shared-responsibility agreement between the client and the CSP (perhaps better than the client does), and to establish exactly where the red lines marking the beginnings of CSP responsibility are.

Pen testers “really need to dig into the licensing and contractual agreements that that organization would have with the cloud provider,” explains Jason Stockinger, Director of Global Information Security at Royal Caribbean Group. “For example, if you’re doing infrastructure as a service, [the cloud provider] is not going to allow you to pen-test past a certain point. If you start probing that, it’ll be a breach of contract.”

PCI DSS 4.0 requirement 11.4.1 is an update of PCI DSS 3.2.1 requirement 11.3 and clarifies that the complying entity must define, document and implement a pen-testing methodology. It’s a bit less stringent in that it lets the entity figure out the methodology.

That methodology doesn’t have to be a cookie-cutter version of a standard pen-testing frameworks like OWASP or the Open-Source Security Testing Methodology Manual (OSSTMM) — many pen testers mix and match parts from different methodologies — but it has to be documented and defined.

The means of pen-testing the network inside and out also needs to be documented and clarifies that the various attack vectors and vulnerabilities defined in requirements 6.2.4 and 6.3.1 must be addressed.

Pen testers will have to show that they tried to get in via “injection attacks, including SQL, LDAP, XPath” and attacks on “data and data structures”, “cryptography usage,” “business logic,” “access control mechanisms” and so on, and that commonly known vulnerabilities are also addressed.

Requirement 11.4.4 clarifies that every vulnerability documented in the final pen-test report must be remediated, no matter how small. The means of remediation must be documented, and then a second pen test must be performed to verify those remediations. Previously, PCI DSS 3.2.1 required only that “testing is repeated to verify the corrections.”

Requirement 11.4.2b and 11.4.3b are the least fun parts. They add to their PCI DSS 3.2.1 predecessors (11.3.1b and 11.3.2b) by mandating that the complying entity not only verify that a “qualified internal resource or qualified external third party” carries out the pen test, but that the entity must also interview involved personnel as part of the verification process. Likewise, requirement 11.4.5c (replacing 11.3.4c) specifies that segmentation pen-testers be interviewed.

In other words, third-party pen testers may have to sit down and be grilled about how they conducted the tests, how they got into systems, what they found, and so forth.

The requirement is vague enough so that a detailed pen-test report presented an in-person meeting with the client may qualify as an “interview” as long as the client asks questions, but it might be best to bring along some of the front-line pen-testers just in case. It definitely means that pen testers will need to document every step of the pen-testing process if they’re not doing so already.

For the post-test period, PCI DSS 4.0 states in a bullet point in requirement 11.4.1 that all notes, records and reports from a PCI compliance pen test must be retained for at least 12 months. The length of the retention period wasn’t specified in PCI DSS 3.2.1.

The requirement doesn’t say whether the pen tester or the entity should be the one holding on to the records, but if they don’t have them already, firms that carry out PCI compliance pen tests may need to build secure storage systems that can easily retrieve such documents upon demand.

Finally, a social-engineering pen test is still not part of the PCI DSS requirements, but it may be more important than ever — especially when it comes to staffers who have privileged or administrative access to the CDE.

In well-defended organizations, such employees may be a weaker point of defense than the CDE itself. But pen-testing firms might have trouble getting their clients to pay for a social-engineering pen test until the PCI SSC makes it mandatory.

“While PCI DSS 4.0 does not explicitly require social engineering as a component of penetration tests, it is still one of the most common ways organizations are initially breached,” says Goodwin. “From a purely risk-based perspective, it makes sense for any organization processing cardholder data to engage in periodic adversarial social-engineering exercises.”

Paul Wagenseil is custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

The fileless, self-modifying, worm-like network traversal tool automatically searches for SSH keys.

Major crowdsourced cybersecurity platform Bugcrowd has landed $102 million from a new funding round, bringing total investment to more than $180 million, reports TechCrunch.

SiliconAngle reports that cybersecurity firm Trustwave has entered a deal to be acquired by The Chertoff Group’s affiliate growth equity fund MC2 Security Fund, the terms of which were not disclosed.

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.

Copyright © 2024 CyberRisk Alliance, LLC All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed
in any form without prior authorization.

Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.