Force Multiplier: Penetration Testing and Attack Surface Mitigation Choosing between attack surface mitigation and penetration testing to ensure the security of your organization is no either/or question. You need both. Ben Wallace Enterprise Architect Discussions about software security are ubiquitous in every industry since breaches can come from any part of the technology. There are numerous ways of compromising a computer system. While breaches aren’t common, they often have disproportionate financial and reputation costs. Not to mention the regulatory impact that could easily shut down a fledgling company. Today, we’ll discuss two of the many methods available to mitigate these risks: limiting the attack surface and penetration testing. You’ll see very quickly how these two are interwoven and how to leverage that. Attack Surface Mitigation Imagine somebody walking through a parking lot, checking the door handles on cars in hopes of finding one unlocked. They aren’t spending much time at each vehicle and don’t intend to break into one. The person simply looks for one specific thing and moves on if they don’t find it. This is essentially what an automated attack on a computer system looks like. It uses automated probing tools to scan your organization’s or application’s “surface” for open ports or other easy-to-patch vulnerabilities. In the security context, “attack surface” refers to any publicly accessible digital asset such as an API or web page that anyone can get into over the internet. Attack surface mitigation (ASM) is considered preventative maintenance and constitutes the bare minimum for risk detection in publicly facing systems. It’s generally performed monthly and comes at a relatively low cost. When scanning for common vulnerabilities, industry-standard risk frameworks, such as the OWASP Top 10, are used. As an automated process, ASM tools generate automated reports that call out the priority of the discovered issues. Full-service providers (such as MentorMate) create corrective action plans using this information and execute the development and deployment of remediation plans. The primary function of these security services is to provide insight into the unknown and protect your company from vulnerabilities and compliance gaps. But they also expose unknown costs and configuration errors. Many organizations I’ve assisted in the past discovered unneeded domains, users, and services that present more cars in the parking lot for a bad actor to check the door handles. Here at MentorMate, we not only scan for those attack vectors, we reduce the surface area. As a side benefit, there are often financial gains by shutting down unused legacy systems. Now that we’ve seen what automated computer system attacks are capable of, we can go one step further with a more sophisticated method of discovering vulnerabilities. Penetration Testing Let’s get back to the parking lot. While attack surface scanning is more of a did-you-lock-your-door approach, a penetration test (or pen-test) involves a professional locksmith with picks, lights, and tools trying to get into one targeted car. While ASM reduces the number of attack paths, pen-tests look for vulnerabilities in parts that must be exposed to do business. Pen-tests proceed only with strict privacy and disclosure agreements due to the inherent risks of known findings. The test itself is performed by trained and certified professionals and is closely monitored and recorded. Pen-tests are akin to actual hacking where a skilled technologist uses sophisticated tools to probe every imaginable way to break in. When getting penetration tested, clients obtain valuable security and risk information that goes deeper than what’s on the surface. For this reason, ASM is usually carried out monthly, whereas pen-testing is generally performed at critical deployment steps or annually. Something to remember is that penetration testing is invasive and triggers anti-intrusion countermeasures. Thus, it can cause operability issues in deployed infrastructure or applications and is therefore done with a copy to not disrupt user experience. MentorMate brings clients value beyond pen-test services with advice on how to abate and prevent vulnerabilities. MentorMate can help implement those changes as well. A Symbiotic Approach Your business goals demand a high level of risk awareness and practical security to safeguard your customers and yourselves. By combining the inside-out (ASM) and outside-in (pen-test) approaches, you get a holistic view of the risks you face as well as a path to address them. Start with ASM. A reduced surface area will save time, effort, and cost with pen-testing. Pen-testing is a larger and more expensive effort and should always begin with the most critical attack surfaces, then expand. Here at MentorMate, our expert risk identification team has vetted and mitigated hundreds of risks for our clients. This breadth of experience gives us an advantage that your business can leverage. Our ever-present goal is to prevent the breach be it via ASM or a pen-testing review. I’ve outlined the fundamental differences between penetration testing and attack surface mitigation. But how do you choose which one to use? Due to budget constraints, some companies may only be able to afford ASM to start and opt for a pen-test when they can — or if an investor demands it. At the same time, if finances allow, many companies combine both approaches. They have attack surface detection going all the time and conduct penetration testing annually or as needed. Tags Security Share Facebook LinkedIn Twitter Share Facebook LinkedIn Twitter Sign up for our monthly newsletter. Sign up for our monthly newsletter.