Penetration testing can be thought of as a dynamic insurance policy. But while chief digital officers are well aware of the value of insurance, the nature of pen testing is next-level intimidating.
“Penetration testing is a controlled attack simulation that helps identify susceptibility to application, network, and operating system breaches,” says the website of the U.S. Department of the Interior's Office of the CIO. “By locating vulnerabilities before the adversaries do, you can implement defensive strategies to protect your critical systems and information.”
This sounds like a good practice, and it is. But for many executives, pen testing seems more like a trip to the dentist.
The U.S. government body offers this description of their ISSLOB's (Information Systems Security Line of Business) pen testing service: “It provides a real-life snapshot of your security controls' effectiveness. OCIO’s professionals are experts in the latest attack methods and techniques used to exploit information systems.”
Pen testing is a proactive measure and, while it can produce discomfort, holds great value for the enterprise. Think of it as flossing: essential maintenance to prevent further difficulties in the future.
But successful pen testing often evokes comparisons to root canal work. Pen testers presenting their findings to the board often find themselves the least popular people in the room.
For many CDOs, pen testing seems like a trip to the dentist
“Our team attempts to break into your network to find vulnerabilities before attackers do,” says the DOI's website. “This unique process identifies vulnerabilities and threats; tests the reaction and identification capabilities of your agency; and provides a measurement of continuous improvement.”
Note the language here: “attempts to break into your network.” Hiring a pen tester means you give someone permission to pretend to be a criminal and attempt illegal penetration of your cyber defenses.
Yes, it's intimidating. And you want to be sure that the pen testing firm is reputable. To the latter end, Singapore recently began licensing cybersecurity service providers.
The Singapore solution
“Singapore launched a new licensing framework for cybersecurity service providers on April 11, giving existing vendors six months to apply for a license or cease providing such services,” said an article on CNA.
“The licensing framework aims to provide greater assurance of security and safety to consumers, said the Cybersecurity Agency of Singapore (CSA) in a press release on Monday,” said the CNA article. “The agency has also set up a Cybersecurity Services Regulation Office (CSRO) to administer the licensing framework and facilitate liaisons with the industry and wider public on all licensing-related matters.”
Pen testers often find themselves the least popular people in the room
According to the press release: “[The] CSA sought industry feedback on the proposed license conditions and draft subsidiary legislation through a 4-week consultation process from 20 September to 18 October 2021.” The CSA release said that “a total of 29 responses were received from a mix of local and foreign industry players, industry associations, as well as members of the public.”
“For a start, CSA will license two types of cybersecurity service providers, namely those providing penetration testing and managed security operations center monitoring services,” said the release. “These two services are prioritized because service providers performing such services can have significant access into their clients’ computer systems and sensitive information.”
Rules and regs
Government regulation of cybersecurity providers sounds like a good practice, but what does Singapore's recent announcement indicate? “This Singapore [initiative] is simply a background check,” says Richard Stagg, director and managing consultant for Hong Kong's Handshake Networking. “A check that the company doesn't have a history of malfeasance and that the key individuals, likewise, don't have criminal records. Essentially a bit of due diligence relating to the vendor engagement process.”
The Handshake director, whose firm provides network security to multinational corporations in Hong Kong and globally (including pen test services), analyzes the new initiative from a vendor and security standpoint. “There's no competence-checking component,” he says,” so it's not to winnow out the good pen testers from the bad or give the potential clients any feeling of assurance that their pen tests will be done properly.”
Stagg says the Singapore licensing scheme accomplishes three things:
“Any company on this list will have:
(1) paid a token amount to be there
(2) will have a clean record
(3) will not necessarily be in any way skilled, capable, competent, or fit-for-purpose.”
This tells me all that Singapore actually wants is a list of companies and people who are providing this kind of service,” says the Handshake director. “I would love it if they went further and added an exam or a check to see if the listed individuals already meet some kind of threshold for technical certification, but since the list focuses on the directors and not on the consultants, I suspect this isn't going to happen.”
Many users suffer from “security burnout”: a surfeit of bad news exacerbated by subscriptions to security newsletters and the like. This is unfortunate, as the “real-life snapshot” view offered by the DOI provides a valuable reality check of any given cybersecurity ecosystem.
“For us as a service provider, [being licensed] is a minor inconvenience,” says Stagg, “but it's a curious development nonetheless.”
Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IOT, payment gateways, robotics and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].
Image credit: iStockphoto/grandeduc