How to Mitigate Cybersecurity Risk with Penetration Testing
When it comes to cybersecurity, a good offense is a key component of a good defense. Much like organizations, hackers continuously learn and hone their skills. So, it’s critical to keep up with the latest threats they deploy, identify potential vulnerabilities and understand how your organization would respond to an attack by leveraging penetration testing and vulnerability assessments. By examining vulnerabilities before a real hacker has the opportunity, your institution can take an offensive approach and mitigate cybersecurity risk.
Want additional insight into strengthening your cybersecurity posture? Download our white paper.
How Can Institutions Manage Network Risk?
Your institution’s network includes anything your data touches—including third-party or vendor data—so it’s important to know where your data exists. A data flow diagram provides a visual representation that helps you understand where your data travels, how it can be accessed, its risk classification levels, and where it resides both internally and externally.
While you can’t control every aspect of external data, you should have controls in place to protect what you can. For instance, consider customer/member phones that may be able to access your data. You can’t mitigate all the associated risks, but you can take preventative measures such as promoting security awareness, utilizing strong encryption for data communications and requiring multi-factor authentication for their logins.
Vulnerability Scan vs. Vulnerability Assessment
Though often referred to interchangeably, vulnerability scans and vulnerability assessments differ. A vulnerability scan uses software to analyze your system. A vulnerability assessment takes it a step further to provide additional context around the scan, giving you an inside look into the exposure for vulnerabilities. With a vulnerability assessment, you can also analyze whether you have controls in place to address specific vulnerabilities.
After an assessment, vulnerabilities receive ratings of criticality based on various factors. Consider the vulnerabilities in context: You might have a vulnerability listed as critical, but you also might have controls on your network that would make exploiting that vulnerability nearly impossible. By having context around them, you have a better sense of how much you should focus on these vulnerabilities.
The Common Vulnerability Scoring System (CVSS) is a common method that scores your vulnerabilities by level of severity (not a measure of risk). This method considers several factors like ease of exploitation, how widespread the vulnerability is or the specific threat level to your organization. If using a CVSS system, evaluate those vulnerabilities categorized as medium, high or critical severity. You can then perform an assessment based on the rating.
Key Differences between Penetration Tests and Vulnerability Assessments
A penetration test might be accompanied by a vulnerability assessment or scan, but this test involves a friendly hacker seeing what data and level of access they can obtain on your network. During a penetration test, a tester identifies vulnerabilities or security weaknesses and then attempts to leverage them to gain deeper access into your network. Penetration tests often reveal eye-opening results by showing how many points of entry exist across your network.
While still valuable, a vulnerability scan or assessment offers a broader view than a penetration test; however, the results are much more generic. Since a penetration test is more manual and object-oriented, it provides directly actionable information to help you evaluate and resolve weaknesses likely to be leveraged by a malicious individual. Combining these with a layered security approach offers the most protection.
Types of Penetration Testing: Internal, External and Wireless
Since penetration testing pinpoints how specific vulnerabilities and weaknesses could be used to access your IT environment, it’s important to conduct testing that evaluates all components of your network. Your institution can achieve a comprehensive view of potential vulnerabilities in your environment by conducting different types of penetration tests, including:
- External penetration tests: This test reveals what is accessible to anyone in the world who has internet access, including email servers, web servers, remote administration interfaces, VPN interfaces and even the services/interfaces you didn’t know existed. Ultimately, this test challenges the borders of your network and how well it keeps unauthorized individuals out.
- Internal penetration tests: While it’s important to have external testing, you should also understand the security posture of your internal network in the case of a malicious insider, an attack that opens the door from the inside out or a breach of perimeter security. This type of test looks at your internal network as if the attacker could plug into a network jack within one of your locations. Normally, this test is larger in scope and much more eye opening regarding the threats posed by malicious individuals.
- Wireless penetration testing: This test is a subset of the internal penetration test that evaluates the security of any wireless connectivity associated with your network.
- Web application tests: As a specialized type of testing that isn’t focused on access to a network and its systems and data, web app testing concentrates on a specific application or website that is accessible from the internet. This type of testing focuses solely on challenging the security and controls of the given application/website.
The end game of these tests is to gain complete administrative control and/or compromise confidential information. When routinely performed, penetration tests offer you the opportunity to strengthen your defenses against the latest tactics while fulfilling compliance requirements.
Compliance vs. Cybersecurity: Should You Equate the Two?
If your institution conducts regular penetration tests and vulnerability assessments to fulfill regulatory expectations, does that mean your institution is secure? Not necessarily. Compliance should be viewed as a minimum baseline for security. Rightly so, more organizations are beginning to consider security a business requirement, as taking security precautions and deploying a proactive approach will save money and resources if a breach happens.
Many organizations struggle to recover after a breach, and financial institutions in particular face operational and reputational consequences. Remember: A reputation takes years to build but can be dismantled quickly. With the internet, consumers can easily share information about your institution if a breach occurs.
6 Tips for Mitigating Cybersecurity Risk
How can financial institutions take steps to strengthen cybersecurity in the face of evolving threats? Here are several tips to mitigate cybersecurity risk for your institution:
1. Remediate results.
Don’t be afraid of the results from a penetration test or vulnerability assessment. Assessments aim to strengthen your approach, not to serve as a pass/fail benchmark. Your institution should analyze the results and remediate any issues for optimal effectiveness. Remediating any issues or critical vulnerabilities after an assessment is a key step in preventing bad actors from exploiting your weaknesses.
2. Prioritize cybersecurity education.
Since cybersecurity is a business issue, employees outside the IT department play an important role in cybersecurity. From loan officers to tellers, employees have access to a myriad of systems and are potential targets as a result. While employees don’t have to be cybersecurity experts, it is still beneficial to practice good security hygiene. This is also a cost-effective measure, as the cost of educating users will almost always be less than the cost of dealing with a breach.
Hackers often rely on weak passwords or phishing attacks to gain system access, but educating your users on the latest tactics and common social engineering schemes—and how to report them when spotted—helps mitigate your risk of a successful attack. Ensure your employees and customers/members remain vigilant when they receive an unexpected email with an urgent message that includes a strange link or attachment, as this is a common hacker tactic.
3. Implement multi-factor authentication.
One way to encourage hackers to move on to a different target is making it as difficult as possible to carry out their objective, which is often account access. Multi-factor authentication (MFA) is an excellent way to discourage hackers, as it requires more than a username and password to obtain account access. This additional information can include a token, text message, email or biometric data such as a face scan or fingerprint. Not only should employees use MFA when accessing your systems and network, but your institution should encourage customers/members to enable this control on their financial accounts, email accounts and even social media.
4. Implement patch management.
Most bad actors use tools that take advantage of your system vulnerabilities, so it’s important to invest in routine vulnerability and patch management to shore up your defenses. If you remediate a vulnerability, bad actors don’t have an easy way to exploit it and will likely move on to low-hanging fruit elsewhere. Further, good patch management minimizes surface area and attack exposure. While updating your patches can be resource-intensive, it is worth it in the long run. This approach includes encouraging employees to update software, operating systems, applications, etc. to mitigate the risk of hackers taking advantage of any vulnerabilities.
5. Assess your risk.
If done properly, risk assessments are a key component of a cybersecurity plan. A risk assessment helps an organization identify and manage financial, operational and other risks associated with internal and external incidents. And proper risk assessments should be more than filling out a spreadsheet; they’re about the lessons learned along the way as you produce it. During this assessment, you should identify assets you need to protect and understand how controls in place work together. The resulting document should help you prioritize your limited resources.
6. Involve your leaders.
Cybersecurity involvement should not be limited to your IT department. Since this issue touches nearly every part of your organization, it’s important to have board and senior management involvement. Senior management should be invested in understanding cybersecurity threats and have enough familiarity with the topic to ask credible questions to IT leaders. Further, they should serve as advocates for your cybersecurity plan and reinforce the importance of education and training at all levels.
When determining the appropriate cybersecurity investment, leaders should consider your institution’s individual objectives, risk assessment and risk appetite—or a representation of how much risk an institution is willing to accept. As an integral component of a holistic approach to IT, security and compliance, IT governance ensures that an institution’s technology and business objectives support its larger strategies.
Finding the Vulnerabilities before Cyber Criminals
With evolving threats and opportunistic hackers, investing in cybersecurity for your institution should be a priority. Having defenses in place to protect your data and systems could make all the difference in avoiding the financial and reputational repercussions of an attack. Tools like penetration tests and vulnerability assessments should be components of your larger cybersecurity strategy and help you stay ahead of cyber criminals.
Download our white paper for more strategies to strengthen your cybersecurity posture.
Tyler Leet serves as director of Risk and Compliance Services for CSI’s Regulatory Compliance Group. With over 20 years of experience in the information security, risk and compliance industries, Tyler oversees and participates in the development and maintenance of the risk and compliance-related services conducted for a wide variety of financial institutions and organizations.