As you consider security testing plans for 2016, we want to provide guidance based on what we are seeing from security testing clients so far this year. Risk assessments and security testing are an important part of any information security program but in an environment were budgets are constrained we need to spend security testing dollars wisely. Here are seven things to consider when making your 2016 security testing plans.
7 Things to Consider in 2016 Security Testing Plans
- Conduct a security program review. A security program review goes beyond looking at the controls that protect your organization and the risks you face and looks at how effective your security organization – people, policy and processes – are aligned. A mature security program can more effectively and efficiently manage security risks.
- Share your company risk register with your selected security assessment firm. Make sure that identified, yet unmitigated risks – those things that “keep you up at night” are considered by your assessment firm.
- Conduct an assessment of your vulnerability management processes as well as a vulnerability assessment. High frequency attacks against common vulnerabilities are generally preventable with routine and regular vulnerability management. We recommend that security testing include a formal vulnerability assessment as well as an assessment of your vulnerability and patch management tools and processes. This can find unknown gaps in your vulnerability management program as well as provide audit confirmation that your program is working.
- Strategize how to pen test against more than just the external vector. Attacks do not always come from the outside any more. Commonly, third party contracts continue to ask for external penetration tests to measure the security of firewalls and other external perimeter defenses. However, an external only security test will likely miss assets that might be exposed through other attack vectors against internal systems.
- Ensure all of your information assets have some measure of testing. Compliance only testing (focusing only on the cardholder environment or systems that contain PHI) may mean vulnerable critical systems slip through the testing cracks leaving you exposed. Does your business have control systems or other devices on your network? Are all devices with company sensitive information (not just regulated information) considered in the testing?
- Test your employees’ ability to avoid social attacks. Social attacks are up. Ensure that testing in 2016 includes Social Engineering testing to measure your users’ ability to help you protect the organization. What is your users’ ability to spot and react appropriately to questionable emails and unknown attachments? Do you know what your employees are listing about your company on various social sites like LinkedIn or Facebook or Twitter? Have you reviewed your HR job posting for the sanitation information regarding your enterprise setup and operations? How much information are they inadvertently advertising to potential malicious actors
- Test for company information that might be exposed outside of your corporate boundary. As the boundaries between the inside and the outside continue to break down, more and more information regarding your organization and your enterprise network operations may be inadvertently leaking into the wild. Consider leveraging open source intelligence testing as part of your next security assessment.