According to the hacker news October 2022, researchers reported that organizations using Office 365 Message Encryption (OME),considered obsolete legacy technology by Microsoft, are subject to a vulnerability thatwould allow rouge third parties to access encrypted email messages. (Microsoft Purview Message Encryption has replaced OME.) This is an example of an attack surface vulnerability that an organization may not even be aware of.
In today's data-driven economy, an organization's data is often its most valuable asset. Protecting that data requires mature security, privacy and compliance program. Because the landscape of cyber threats and data privacy regulations is vast and continuously evolving, it can be challenging to determine the best path to plan, implement, measure and adjust your defenses.
The logical first step is to gain a clear knowledge of your assets, the attack vectors that threaten them and the potential consequences to your business. As most standards-based compliance frameworks recommend, mature organizations define the test scope using an attack surface analysis before executing a comprehensive penetration test.
Many organizations must conduct pen testing for compliance and regulatory requirements. But entrusting a live security test to the wrong vendor can at best waste resources, and at worst leave you more exposed than when you started.
So select a penetration tester carefully. Look for a trusted partner that can demonstrate quality based on the following five criteria:
- Competence & Experience
- Risk-Based Methodology
- Attack Surface Analysis
- Business-Oriented Report
- Actionable Remediation Plan
How to assess competence
It sometimes seems that everybody who has an interest in cyber security wants to be a penetration tester. The truth is that not everybody has the mindset for it, and even fewer have the skills. It requires a particular approach to problem solving, comprehensive domain expertise as a penetration tester, and a thorough understanding of the technologies and solutions in play in the environment you are testing.
The obvious approach is to look for qualifications. But even these are a mixed bag. A popular exam is Certified Ethical Hacker (CEH), a popular entry-level certificate. Though there is nothing wrong with it – entry-level is not what you should be looking for. Long considered the gold standard for hackers. The OSCP exam has been held up as the minimum that you should be looking for. However, though it is a challenging exam to pass and can serve as a mandatory minimum expression of competence, it is still not enough to assure you that you will get the service you need.
So how to judge? I suggest you look for two things – a sample report and references. Does the report look like a reformatted vulnerability scan? Can you talk to previous clients who advocate for the work? Unfortunately, no exam will tell you that you are hiring the right team – so you will need to do your due diligence.
A penetration testing company will often roll out its usual offering when they start a test. It's packaged, perhaps semi (or even fully!) automated, targeted to the scope you asked for, and comprises all the usual tests. This is not how attackers work. They survey your attack surface and then head towards the low-hanging fruit – the places they can most easily break in.
From your perspective, these more accessible routes are the highest risk vectors. You need a penetration tester that appreciates that you are not interested in how cool their tools are. You want to keep the bad guys out. Your hired hackers need to be more interested in your business than their tools. So, when you interview them, ensure they are articulating a business focus and have a methodology that identifies and attacks your highest risks. Otherwise – what's the point?
Why an Attack Surface Analysis Should Occur Before Pen Testing
A penetration test is a great way to identify and assess vulnerabilities. A pen test uses creative, blended attacks like real-world adversaries to find weaknesses in their test systems. However, they can only see those weaknesses in the places that they look – this is called the test's scope.
The organization determines the scope, but it is often a smaller attack surface than the one that the attacks can find. Better first to have your surface discovered by an Attack Surface Analysis than by an attacker.
That's out of scope!" Said, No Attacker Ever
Without an ASA, you waste resources, receive false results and miss critical risks and vulnerabilities.
With an ASA, your test is efficient and the risk assessment is adequately informed.
An organization's test scope quickly becomes outdated as its attack surface evolves. Risk is continuous. Even the most mature organizations face constant changes in cybersecurity risks. Organizations should begin with an Attack Surface Analysis (ASA) to get the most out of a pen test. An ASA will identify and update the attack surface technical and business risks.
Business Focused Report
The report you get from your test team needs to achieve many things. First, it needs to give the technical team responsible for remediation enough insight so that they can fix any problems discovered. It needs to walk you through the entire testing engagement to understand what they did, what worked, and what didn't. But more than that, it needs to give you sufficient insight into the threats and vulnerabilities to assess risk and make business decisions about what to fix and when.
Actionable Remediation Plan
It's all well and good getting a penetration report back that shows how clever the pen testers were and how they exploited all the vulnerabilities and broke in left and right. But it's not that helpful if it doesn't give you the information you need to fix the problems.
A good report will tell you for each issue what was found, how it was found, how it was exploited, why it's a problem and potential recommended remediation.
Though a read-out call with the testers can be invaluable to getting the back story and context of any exploits, the report should be able to stand alone in conveying the information needed for the client to make business decisions and perform the remediation.
Get Started Today
Ready to get started? Contact Truvantis to schedule an Attack Surface Analysis before scoping your next pen test.
Truvantis is a cybersecurity, compliance and privacy consulting organization with comprehensive experience in implementing, testing, auditing, and operating cybersecurity and information privacy programs. In addition to cybersecurity, compliance and privacy services, we offer cybersecurity training courses and certifications. We are also a PCI DSS, Qualified Security Assessor (QSA).
We specialize in helping our clients improve their cyber governance posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance.
Need more information first? Contact us here.