Ethical hacking: What to look for in a pen tester

Simulated attacks on a healthcare organization can help infosec leaders assess their security posture, but not all pen testers are created equal and not every provider is ready to be tested.
By Jessica Davis
08:00 AM
Share
computer login screen

Healthcare data breaches increased 70 percent between 2010 and 2017, according to a recent study published in the Journal of the American Medical Association. And with breaches costing healthcare organizations $408 per patient record, the stakes are higher than ever.

The cybersecurity conversations are increasing at the boardroom level and some states and organizations are crafting security models to help organizations make sure they are best protected against those threats. So just where does penetration testing fit in the infosec toolkit?

Pen testing is the practice of simulated cyberattacks on an organization’s network or a specific function, such as IoT devices or web apps. The goal is to identify any system flaws or weaknesses and just how likely it is that a hacker can exploit these vulnerabilities.

Essentially, pen testers or white hat hackers, model what real-world nefarious hackers do, under controlled circumstances so that an organization can better understand and manage risk.

However, pen testing isn’t necessarily ideal for everyone and an organization will need to be realistic about its security posture to determine whether hiring a pen tester is a smart move.

What makes a good pen tester?

The healthcare environment creates a different security surface than in other sectors like financial. Medical devices, IoT, EHRs and a host of legacy computers create a wide range of potential security risks.

To Lee Kim, director of privacy and security for HIMSS North America, a pen tester should have “real world experience and experience in business environments like [healthcare].”

“Pen testing in a healthcare environment is different than pen testing in a financial environment,” said Kim.

The pen tester or potential security company must understand the needs of the organization and concerns, explained John Nye, vice president of cybersecurity strategy for CynergisTek. They also need to discuss the systems that are potentially vulnerable, while both understanding and fully explaining the risk that testing those vulnerabilities can represent.

"While it might seem like anyone with a little experience and tool can do this, the skillsets involved in attacking and exploiting various systems are actually quite specialized."

John Nye, CynergisTek

“Healthcare in particular is rife with highly sensitive IT environments that contain protected health information among other sensitive data, and there is often no shortage of vulnerable systems that can allow unauthorized users access,” said Nye.

“A good ethical hacker will be able to help you to understand where those vulnerabilities are, how they can be used to exploit your organization’s data and the patient’s data and how to remediate them,” he added.

Healthcare organizations looking to hire a pen tester or team will need to be sure the potential vendor understands what is important to the organization and be willing “to work with you to gain that understanding.”

“This can come in the form of a partner that works with the healthcare industry extensively, or at least is open to changing their typical approaches to accommodate the special needs of your organization,” said Nye.

“One of the most important things to keep in mind is that no organization is like any other and any pen tester that tells you that ‘one size fits all’ is not in it to help you, they are trying to sell their services,” he added.

Kim added that a good pen tester has a keen attention to detail and is accurate and creative, which is “very essential when you are doing a red team exercise.” For some, certifications may be helpful, as well.

Also notable is that not all pen testers are created equal, explained Nye. “While it might seem like anyone with a little experience and tool can do this, the skillsets involved in attacking and exploiting various systems are actually quite specialized.”

“So, while a web app pen tester might be capable of performing an internal network pen test, their special knowledge would be wasted in most cases,” he added. “No one can know it all, so we have to pick our corner of knowledge and get really good at it. In case you were wondering, my passion is people and their role in security (and insecurity).”

Budget and contractual considerations

There are two crucial documents that need to be in place before a pen tester can begin work.

The scoping document lays out in detail the systems an organization is allowing them to “attack,” Nye explained. And perhaps more importantly, the document lists the systems “absolutely out of scope. Without the list, it’s impossible to begin pen testing as it will cause more problems than [they’re solving].”

The other important document, the Letter of Authorization (LoA), is “colloquially called the ‘get out of jail free card.’” Nye said the document is essentially a permission slip for pen testers to perform malicious attacks on an organization’s systems and controls, “absolving the pen tester of legal liability if they are ‘caught.’”

"Pen testing is not inexpensive. But paying OCR fines, litigation costs and incurring remediation expenses in the case of a significant breach can be many times more costly."

Lee Kim, HIMSS North America

“Technically speaking, the tools and techniques that ethical hackers use are identical to those of the black hats,” said Nye. “The difference is really only permission and scoping. Without that LoA, we ethical hackers are doing something equally as illegal as our less law-abiding black hat brethren.”

As for budget concerns, Kim warned that organizations need to be sure the pen tester is either local or can perform the process virtually, as the travel costs will need to be added to the service as well.

“Pen testing is not inexpensive,” said Kim. “But paying OCR fines, litigation costs and incurring remediation expenses in the case of a significant breach can be many times more costly.”

To Nye, organizations should avoid vendors offering “pen tests in quantity over quality.” Those vendors typically give a lower upfront cost, but the assessment is often automated and the pen testers may not spend enough time with the data to be wholly effective.

But organizations should also be wary of when the pendulum swings the other way and the pen tests are far too expensive and time consuming, explained Nye.

“Unless you are planning a full-on Red Team exercise with all the bells and whistles or your organization has hundreds of thousands of systems to test, a pen test should not be the most expensive service you pay for,” Nye said.

“A good assessment will take only as much time as is actually needed to gather enough data for analysis,” he continued. “Again, this will be highly dependent on your organization’s needs, focus and intent -- but make sure you don’t over or under buy.”

When to hire

To Kim, all organizations should hire a pen tester, “if they don’t want to be hacked.”

Pen testers give insight into what an organization is doing right and wrong in terms of security, explained Kim. While the cost can be a drawback, “the pen tester will likely write a pen testing report with what was found and recommendations for addressing vulnerabilities and the like.”

“The organization should at least carefully consider what is in the pen tester report and consider implementing the recommendations, as appropriate,” she added.

But Nye warned that organizations need to first get their security in order before hiring a vendor to perform these assessments.

“Not all organizations may be ready for a penetration test,” said Nye. “For example, an organization that does not have any security program to speak of (which is more common than you think).”

If an organization hasn’t even performed a vulnerability scan, lacks strong inventories or a patch management program, “a pen test is going to blow up really quickly,” Nye explained. “Really, any of these factors show an immature security program, and a pen test is going to simply further exacerbate issues.”

Organizations with weak security programs can’t handle a pen test, and it’ll “just overwhelm anyone who receives the report, and a good pen tester will tell you that up front,” said Nye.

But don’t give up on the idea of a pen test if your organization isn’t ready, he explained. “Get to the point where a pen test does make sense, start getting inventories, patching systems and running regular vulnerability scans.”

Pen Tester Checklist:

  • Are we ready for a pen tester? An organization needs a solid inventory, patch management processes and a strong security program, or an assessment will “blow up really quickly.” If you’re not ready, start those vulnerability scans, patching and inventories.

  • Find a pen tester with experience in the healthcare sector, as not all ethical hackers are created equal. A good pen tester will have honed their skills into a specific area, like web apps or internal networks.

  • Outline expectations, including the systems to pen test and systems off limits to the pen tester.

  • Avoid pen testers with a “one-size-fit-all” mentality, as well as the other side of the pendulum where the scope and cost is much too wide/expensive for the task. A good pen tester will partner with you to ensure you understand the assessment and risks.

  • Use the report and its recommendations to address vulnerabilities.

 

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com