Leveraging remote security testing to support business continuity
8 April 2020 | 0
Organisations are reacting and adjusting like never before to keep their people, data and business safe.
Adapting the way we work is essential for the current environment we find ourselves in and through the support of technology and experts, business continuity and resilience can exist for many companies.
At present, a large proportion of organisations are trying to maintain their day to day services and operations including supporting an increasingly remote workforce whilst also taking a proactive approach against the ever-evolving threat landscape that organisations are continually facing.
To support those efforts, traditional consultancy service capabilities are also available remotely, allowing for continued support and greater flexibility. By leveraging these services companies can continue to operate efficiently while maintaining their information resilience against threats.
Penetration testing is one such service. Whilst it is true that a lot of penetration testing activity is already performed remotely, there are types of testing, ranging from internal network and application testing server compliance reviews, which would typically be performed on-site with a physical presence from a BSI expert.
A penetration test is a technical assessment designed to identify vulnerabilities which may exist on a specific asset, or set of assets, which can be an internal network, a web or mobile application or an external perimeter network for an organisation amongst many other examples. Penetration testing continues to be a well-established and very useful tool for organisations that need in-depth evaluation of the implemented security controls in place across their assets and being able to continue it during this time is important for maintaining an organisation’s security posture.
BSI Consulting Services can deliver a full suite of security tests remotely, including testing that would typically require a physical presence, by utilising a secure remote internal testing solution. The solution provides a safe, secure and reliable connection into an organisations network or cloud environment and allows one of the BSI experts to perform the required assessments.
Conducting penetration tests can have a substantial impact on a company’s defence posture if carried out on a regular basis. Performing an internal assessment remotely provides many advantages such as:
- It allows for assessments to continue despite increasing travel bans being enforced globally.
- It has easy deployment and usage that enables a security consultant to perform an internal assessment worldwide in any condition or location (especially for those remote locations where traveling onsite is not a viable option).
- The on-demand access also permits a faster response for those cases where internal access is required quickly, such as an urgent requirement for testing.
- It limits any delay caused by travel disruption or special travel requirements (such as visas or other permits).
- It also reduces travel expenses associated with having consultants present on-site.
Having the option of performing security testing remotely gives organisations the flexibility to respond and react to unforeseen events and continue to gain the assurances sought from planning and performing regular assessments.
When it comes to successfully addressing penetration testing for your organisation the following steps are advisable:
Establish your goals
What are the objectives that need to be achieved? It is important to engage all key stakeholders as this will help to define the criticality level of different assets and data sets and therefore where is best to focus resources to protect what’s vital. Objectives need to be defined upfront and can be included in the mapping out of a testing programme.
For example, a company’s goal might be to meet challenging compliance requirements for the year ahead, or to gain a comprehensive understanding of your network defences.
It’s imperative that what you’re looking to achieve is clearly defined in advance and built into a comprehensive programme to allow for the most effective testing methods and frequency to be selected.
Scope the test
This is a vital step for achieving the desired outcome from the testing and allows the service provider to focus resources in the right place. Questions to ask here include: What exactly should be included in the test and how is it to be conducted? Are you looking to examine the defensive capabilities of your public-facing web site? Or are you more concerned with your internal systems like your servers, workstations, firewalls and network defences?
When defining the scope of your test you need to take constraints such as financial and time limitations or compliance requirements into consideration and what areas of the business that can and cannot be assessed, and importantly, how frequently testing can and should be performed.
Plan the test
It is important that you plan and implement a change freeze on the organisations system and alert the IT team that a higher load may be placed on the target assets during testing.
Again, it is important to involve all internal stakeholders in the planning process to ensure the impact on business operations is minimised.
Apply an improvement programme
Once a vulnerability has been identified and rectified it is important that the process does not stop there. Continual testing and implementation of improvements is key to staying on top of new threats.
A penetration testing report reveals vulnerabilities for that present moment and as there is an ever-changing threat landscape, regular testing is crucial to keeping up to date with new vulnerabilities and in meeting compliance requirements.
How the remote security testing works for clients
The BSI remote testing solution comprises of three parts – a virtual appliance that can be downloaded by clients, a dedicated cloud server and the BSI penetration testing network.
It is a relatively simple process to get underway, clients download and run a virtual machine to suit their environment whilst BSI deploy a dedicated server for each organisation to add an additional level of separation and protection. After a minimal level of setup, BSI consultants are able to connect to the virtual machine through the server in a safe and secure manner, enabling the testing to be performed. Once the assessment is complete both the server and client can be decommissioned preventing any further access to the internal infrastructure.
A dedicated server for each client and the attended setup of the BSI remote security testing solution ensures that:
- Traffic is encrypted and therefore secure from being intercepted whilst in transit.
- Access to the internal network is restricted to a certain time slot, for example, during the assessment, and limited to the personnel carrying out the assessment, each of whom have separate accounts and keys for access.
- The client has control over the virtual machine in their environment and can stop/start the tunnels as required.
- The use of key pairs throughout the set-up ensures that both people and machines are authenticated to each other to prevent man-in-the-middle attacks.
BSI Consulting Services are trusted accredited partners and are part of an elite group of organisations with global CREST membership. Their experts provide a range of solutions to help organisations address challenges in cybersecurity, information management and privacy, security awareness and compliance.
For more details on BSI’s Virtual Consulting Services visit bsigroup.com/cyber-ie
Michael Romain is global practice director for Testing Services at BSI