So what is the challenge?
When it comes to cyber security, it’s not a question of “if” you’re going to get hacked, but “when”, and one of the most important ways financial firms can protect themselves is to ensure that they conduct regular penetration tests. A penetration test is a simulated cyberattack on a computer system to identify any weak spots in a system’s defences that attackers could take advantage of.
At Lanware, however, we see three big problems with “penetration testing” in financial firms:
- They are not properly scoped
- They are conducted purely to “tick a box” for compliance purposes
- They get confused with a vulnerability assessment
The impact of these problems often leads to testing which is inadequate and does not improve the security posture of the firm.
Let’s take each of these issues in turn.
1. They are not properly scoped
A penetration test will succeed only if it has a clearly defined scope and success criteria. Critically you need to understand what you’re looking to protect before you can scope a test. In many firms, particularly larger financial firms, they don’t hold and update the database of assets (e.g. users, devices, applications, networks, locations, connection to third parties etc) along with their risk to the business.
If you know what you’ve got, you can work out where your risks are. Focus on “What are your crown jewels”, for example, one particular application could be critical to the operation of the business, is available both internally to business users and externally to clients and contains hugely sensitive information. The penetration test may then be scoped to target that system in particular. Decisions also need to be taken about the depth of the test, whether it’s internal or external, the frequency and how any remediation should be addressed.
2. They are conducted purely to “tick a box” for compliance purposes
Penetration testing is considered mandatory by any regulated financial firm. With the FCA it falls under the obligations around maintaining operational resilience. The challenge with treating it as just a routine exercise is that if it is not continually evaluated and re-scoped, financial firms will just do what they’ve always done to tick a box. For instance, the “annual pen test” appears on the calendar and they just “hit the repeat button, meanwhile, the business is changing, growing, launching different products, using new applications, setting up new locations and shifting between outsourcing and in-sourcing etc. All of these changes make the likelihood that the pen test will be less useful.
In the event of a data breach, the regulator will have to be notified. If pen testing is shown to have become just a “box ticking” exercise, then it will be clear the company has failed to comply with the regulator requirements and maintain operational resilience.
3. They are confused with a vulnerability assessment
This is without doubt the biggest of the three problems businesses’ have. Firms think they are having a penetration test when they are actually having a vulnerability assessment.
A vulnerability scan is an automated process that checks for potential security weaknesses in a system, such as a website or a network. It’s like a security guard who walks around a building to see if the doors and windows of the building are locked and secure.
On the other hand, a penetration test is a more detailed and hands-on examination by a real person that tries to detect and exploit weaknesses in a system. It’s like a thief who tries to break into the building to see if they can get in and steal something.
As you can see from the above example, they are quite different. A vulnerability assessment is just part of the process a hacker would go through before they then use other tools and techniques to see if they can actually breach your security.
And in conclusion…
Financial firms are wasting hundreds of millions of pounds every year in the UK on penetration testing, and not actually improving their security posture due to these three basic issues. This is because the tests are not properly scoped, they are conducted purely to “tick a box” and they get confused with a vulnerability assessment. If you have concerns that you aren’t getting the value from your penetration testing and you’re worried about the wider security of your financial firm, please get in touch!