Penetration testing — or pen testing as it’s commonly called — is the act of seeking out weakness in a given IT environment. Many organizations include internal penetration testing as part of their annual audit(s), but often miss out on its true value.
A proactive, security-focused organization will employ full-time pen testers to consistently and routinely attempt to break, circumvent, confuse or breach a network or environment. This is the focus of the latest Dark Reading article by Armor CSO Jeff Schilling, “Internal Pen-Testing: Not Just for Compliance Audits Anymore.”
Schilling and Armor group internal pen testers into a Friend Network Forces (FNF) team. As the story points out, this term comes from the U.S. Department of Defense and is widely deployed to help investigate and protect global military networks.
The techniques and processes of the pen tester are only part of what makes this so effective in maintaining a sound security posture. Their in-depth understanding of the specific network — knowing exactly where the gaps and weaknesses reside — is also critical.
“Team members must have extensive knowledge of how an enterprise environment is designed and possess a strong understanding of the most critical gaps and vulnerabilities,” Schilling wrote for Dark Reading. “In fact, one of Armor’s FNF team members is one of our first employees, so he is someone who has a long history with the environment and understands each any every dark corner. It’s that important.”
Schilling also notes that FNF members must possess deep and diverse security backgrounds that are coupled with a strong moral compass. These individuals must be carefully vetted; they are often entrusted with valuable credentials and the accompanying access to all parts of a given network.
But it’s also important to note that they are so much more than testers. They not only complement security teams and help the organization stay protected, they provide true context that the cyber security strategies in place are truly effective.
“I can’t imagine a mature security organization NOT having an FNF team,” Schilling wrote. “That is, unless they are afraid to know the truth. But as high-profile breaches have proven, this strategic ignorance will not prevent consequences. It only exacerbates them.”