The growing compliance landscape
In recent years, the number of standards and regulations that organizations have to demonstrate compliance with has exploded. Previously, organizations have mainly needed to comply with industry-focused regulations (HIPAA, SOX and so on) or ones designed to protect certain types of sensitive information (like PCI-DSS and payment card information).
Recently, governments have been passing data privacy regulations and forcing organizations to take notice. The EU’s General Data Protection Regulation (GDPR) is an example of this. Under GDPR, any organization that is storing personally identifiable information (PII) of European citizens must be operating under a data protection policy functionally equivalent to GDPR, either at the company or national level. The scope of the GDPR and the much wider definition of what is considered protected PII caused a bit of a panic as organizations around the world tried to bring their policies into compliance.
The GDPR is far from the only privacy regulation in place. The California Consumer Privacy Act (CCPA) is one of the more famous regulations, but many other U.S. states have been passing individual laws in the absence of a national regulation. As a result, organizations may be required to demonstrate compliance with a large number of different regulations.
Designing the pentest
One commonality between many of these regulations is a requirement for organizations to perform regular testing to ensure that their current protections are adequate for protecting the customer data entrusted to them. While many of the requirements are for a penetration test, a Red Team assessment can provide a more accurate measure of an organization’s ability to adequately protect sensitive data.
As a result, a Red Team may be called upon to perform an assessment that is geared toward demonstrating an organization’s compliance with the regulation or identifying gaps that would need to be corrected before the organization needs to take a compliance audit.
A penetration test for compliance is performed slightly differently from a general Red Team exercise. The Red Team needs to balance the need to address key points with the need to not be restricted to a checklist.
Addressing key points
When performing a Red Team assessment for compliance, the Red Team must be familiar with the regulations that the organization needs to be tested against. The customer should be familiar with any appropriate regulations, and the Red Team and customer should agree on the target(s) of the assessment.
In many cases, performing a Red Team assessment for compliance with a regulation requires a deep knowledge of the applicable regulation. In some cases, regulations are phrased in general terms, but auditors will be looking for specific security controls designed to achieve these goals. For example, “appropriate protection of data at rest” points to the need of encrypting data at rest, monitoring access to sensitive data and properly managing encryption keys.
When testing against a particular regulation, the Red Team should determine the security controls that an organization should have put in place and design tests that can determine if the security controls are successful. This could result in a very focused assessment where the Red Team mainly tries to break relevant security controls.
Beyond the checklist
However, Red Team assessments should not become an exercise where the Red Team runs through a checklist similar to the compliance audit procedures. In many cases, testing for compliance becomes an exercise where the Red Team “checks the box” rather than actually testing for security.
When designing the Red Team engagement and negotiating with the client, it is much better to agree on a Red Team assessment with a mapping to relevant regulations and standards than sticking to testing against a particular regulation. This gives the Red Team more latitude to operate and results in a better product for the customer.
Reporting for compliance
In general, a Red Team report for a compliance-focused Red Team assessment has very few differences from one for a more general report. The main differences between the different reports are the focus on tying discoveries to the need to implement certain security controls for compliance and the pressure on the organization to implement necessary mitigations.
Tie vulnerabilities to compliance
Describing discovered vulnerabilities is a core component of a Red Team report. In general, these are primarily organized by the severity of the issue and maybe location.
With a compliance-focused assessment, the Red Team should tie identified vulnerabilities directly to the requirements described in the relevant regulation or standard. This helps the customer prioritize the actions necessary for achieving compliance and provides them with an overall impression of their current level of compliance with a given regulation.
Provide actionable recommendations
The goal of a compliance-focused Red Team assessment is for the customer to be able to achieve compliance before it is necessary for the organization to undergo a compliance audit. If the customer waited until the last minute to perform the assessment, they may have days or weeks to implement any necessary security controls.
By providing clear recommendations on how the customer can modify their current cybersecurity posture to meet regulations, the Red Team helps the organization to become compliant as quickly as possible.
Include PoC code for testing
Providing the data or code necessary for testing patches is a common practice in Red Team reports. This allows the customer to replicate the vulnerability and helps with the development and testing of possible solutions to the problem.
When testing for compliance, the customer likely has a shorter timeline for fixing issues than with a traditional assessment. The more information that a Red Team can provide regarding how to exploit an identified vulnerability, the easier it will be for the organization to deploy an effective solution to the problem.
Conclusion: Red Team for compliance
Many regulations and standards call for regular penetration testing to ensure compliance, and a Red Team assessment is even better. When performing a Red Team assessment for compliance, it is important to keep the specific requirements of the regulation in mind throughout the assessment and ensure that the assessment doesn’t compromise security for the sake of checking the box.
- Article 32, EU GDPR, PrivazyPlan
- Information Supplement: Penetration Testing Guidance, PCI Security Standards Council
- A red teaming approach to PCI-DSS, Nettitude