What do you learn from your security reviews?

Posted on 2020-07-16 by Matt Strahan in Business Security

The results of the security review come in and they’re…let’s just say “less than ideal”. Vulnerabilities that could be used to break in, steal data, and potentially get the organisation in the news. Better fix those right away!

So we assign the tasks in our ITSM system and get to work. We patch what needs patching, reconfigure what needs reconfiguring, disable what shouldn’t be there and then pat our back and call it a day. We’re now secure…right?

This is what a lot of organisations do, but you’ve only got half the story. Those vulnerabilities didn’t come from nowhere, they were the symptom of an underlying problem and if you don’t fix the problem then the same thing will happen over and over again.

In a previous blog post I spoke about the “5 whys” and pinning down root causes that pop up as vulnerabilities. One of those root causes that is bound to prop up again and again is training.

Developers are often not trained in secure coding. Administrators are often not trained in secure administration. And yet the security vulnerabilities that could be placed in the environment from those teams could cause huge consequences to the organisation.

What can you do with a penetration test to help training?

Get the penetration testers back in!

I’m a big believer about getting the most out of things and when you look at penetration testing in different ways you can see different potential usage. You can test your incident response, check to make sure your alarms are working, ensure your compliance, and find root causes.

Another way of using penetration testing results is to train your staff. Here you have not just people skilled at security as a resource for training, but you have active examples in the software that your organisation uses, in the code they made, and in the systems they built.

Each vulnerability that was found is an opportunity for training and a potential lesson to learn. Each vulnerability is a mark where there may be potential for improvement.

At Volkis we extend our penetration tests with a full developer and systems administrator workshop based on the results of the penetration testing. This involves getting all the developers in the room and going through the results. It’s not a “let’s see who to blame” session, but an opportunity to learn from the results. We go through what went wrong, how the vulnerability works, what could have happened to stop the vulnerability, and how to prevent similar vulnerabilities in the future.

Learn from all your security projects

This opportunity for learning shouldn’t just be restricted to penetration testing. Social engineering exercises, for instance, can feed directly into a security awareness programme. Your employees will have a direct example to show them what a phishing attack looks like. They can find out the actual consequences of that kind of attack, because that’s what actually happened.

User awareness programmes that are backed with phishing attacks tend to be far more successful than simple lectures or training videos. If you aren’t connecting phishing exercises with your UAT, you’re missing out.

Similarly, compliance violations are not just for wagging fingers at people, and are again an opportunity to learn. If there’s a compliance violation, you can use that to show developers why that compliance item is there, what to do about it, and how they can avoid it next time.

Organisations pay thousands of dollars to put their developers and administrators on a security course but often miss this simple way of having training that is as targeted as you can get, highlighting the specific systems, knowledge, techniques, and habits the developers and administrators need to succeed in your organisation. Feeding tests and results back in as organisational learning helps keep you secure not only now but into the future.

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by AbsolutVision on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn