How to Choose a Cloud Aware Penetration Tester

Arcus Global

Arcus Global
September 7, 2017

If security is important to you then you’ll want an external penetration test for your infrastructure. The work that Arcus does with central government and NHS means that we have been tested by several ‘experts’ but the truth is that many of these don’t understand the Cloud and so make some recommendations that are irrelevant while missing larger issues. Recently I met a penetration test company that understands the Cloud but before I come to that, let me explain about penetration tests.

Why have a pen test?

A common requirement for any government organisation, when moving into the cloud, is to ensure the security of a solution – and moreover achieve the necessary SIRO (Senior Information Risk Officer) sign off that gives assurance that the architecture is secure and fit for purpose.

This ‘fitness for purpose’ often means needing to consider the risks and requirements of ‘Official’ level data (please note that the old IL classification system has not been relevant for a long time!) and the kind of security controls that need to be in place. While many think about ‘Official Sensitive’ as another level (in reality it is not) there are, however, additional controls and risk mitigations that should be put in place. In short it can be a complex landscape and the SIRO in most organisations knows about risks but not about the detail of hacking; to assure themselves, they need to use experts in hacking to try to penetrate their infrastructure and tell them what needs fixing.

What does the tester do?

  1. Scope statement – These companies will start by agreeing a scope that defines the servers and services that they will test and the sort of tests that they will perform. This scope should be agreed with whoever runs the infrastructure so that they can explain the design and agree how they will give the testers access (you can’t test infrastructure properly if the first layer of security locks you out).
  2. Testing – Testers typically run a series of tools that scan for vulnerabilities and, upon locating them, attempt to exploit them (attack) using known weaknesses e.g. zero day exploits / out of band attacks etc.
  3. Progress updates -Some testers love secrecy and refuse to communicate their results until the test is complete. The best ones, schedule daily wash-up meetings that explain what they’ve found that day and enable us to fix any issues as they progress so that, by the end of the test, most of the issues have already been remedied. This provides better value for the customer as they would otherwise have to schedule and pay for a second penetration test to ensure that the issues identified in the first have been remedied.
  4. Report – The outcome of a pen test is a report that lists high, medium and low priority actions that require some remediation. If you’re experienced in designing infrastructure that passes pen tests and you’ve had daily progress updates with the tester, you can usually end a pen test with a report that lists only low priority actions. The client will review the report with the Tester and decide whether to fix or accept each action. Most clients remedy all high and medium actions but fixing some actions can be expensive in cash and the restrictions that it places on the application: “the most secure site is one that isn’t accessible by anyone”.

New threats emerge all the time so it is important to regularly schedule penetration tests, even if the infrastructure hasn’t substantially changed.

Why is having a Cloud-aware penetration tester important?

Just as new threats appear all the time, so the infrastructure that people use is updated. Last year, Amazon made over 1,000 improvements or additions to their services but many penetration testers built their testing tools to run with traditional, physical infrastructure so they can both completely miss AWS vulnerabilities and also focus on issues that would matter in the old world but don’t apply to the new one. But there’s a better way that we can help you – the customer.

AWS provides partners with a great number of benefits, not least of which is the quarterly public-sector roundtable where both technology and consulting partners, that focus on public sector, can get together and discuss new ideas and share capabilities. The AWS partner ecosystem is a hugely valuable resource for connecting organisations that can combine their respective skills and deliver services and outcomes to customers that are greater than the sum of their parts.

At yesterday’s round table meeting I had the chance to catch up with Tony Richards, who is CTO and co-founder, of SecureStorm.

SecureStorm is a highly accredited security-focused partner that specialises in security control implementation, validation, assurance and compliance against multiple standards. They also have the accolade of being National Cyber Security Centre accredited for providing security services to the UK Government. Most importantly, as an AWS partner, they understand cloud technologies – how they work, how they can be secured and how to provide assurance of this.

Combining this technology knowledge with their security expertise and continuous delivery/assurance approach, SecureStorm could be a great partner in providing the necessary assurance that customers need for the infrastructure that we build and manage.

What does this mean for you?

At Arcus we architect, build and run highly secure infrastructure platforms for the UK public sector but we cannot ‘mark our own homework’ and provide a penetration test service.

A good solution then is to engage with a knowledgeable, AWS-savvy security service and pen test provider that can then help you achieve the necessary accreditation.

Using AWS partners further assures you, the customer, that you’re talking to the right people who are viewed by the service provider, AWS, as trusted experts and who have the full resources and support of AWS backing them. From what we saw yesterday, SecureStorm looks to be just such a partner.