Penetration Testing Services and the National Cybersecurity Strategy

Penetration Testing Services and the National Cybersecurity Strategy

Penetration Testing and the National Cybersecurity Strategy

The rapid evolution of the digital world demands fundamental shifts in how the United States allocates roles, responsibilities, and resources with respect to cyber security, and penetration testing is a key part of this shift. To address complex cybersecurity threats, on March 2nd, 2023, the Biden-Harris Administration released the National Cybersecurity Strategy, which focuses on two key philosophies: rebalancing responsibilities and realigning incentives.

 

The five pillars.

Rebalancing responsibilities involves shifting the burden of cybersecurity away from small businesses, individuals, and local governments to organizations that have the resources to better manage cybersecurity risks. Meanwhile, a realignment of incentives requires changing existing incentives to encourage long-term investments in cybersecurity while striking a balance between defending infrastructures and effective incident detection and response.

As part of the approach outlined in the National Cybersecurity Strategy, collaboration around five pillars will be built and enhanced, including defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals. Penetration testing services will be a critical component to the success of this strategy.

 

How does penetration testing come into play?

Penetration testing services provide a method for evaluating the security of computer systems, networks, or web applications by simulating an attack from a malicious threat actor. By conducting penetration testing, organizations can identify vulnerabilities and take action to mitigate them before they are exploited to impact the confidentiality, integrity, and availability of critical systems and data.

To effectively identify and address vulnerabilities of importance, it’s essential that penetration testing services simulate realistic levels of threat by utilizing the same or similar Techniques, Tactics, and Procedures (TTPs) that are used by modern threat actors. Penetration testing services that rely on commercial off-the-shelf tools (COTS) such as automated vulnerability scanners are not always ideal for testing critical infrastructure due to potential fragility and sensitivity.

 

Discover more than just vulnerabilities.

Realistic threat penetration testing is a more advanced tier of penetration testing service that focuses on leveraging the same or similar TTPs as real-world threat actors. These advanced penetration testing services do not have a dependency on automated vulnerability scanning although scanners can be used, if appropriate, to increase efficiency and provide coverage for easy-to-find vulnerabilities. When it comes to testing critical infrastructure, or other sensitive targets, realistic threat penetration testing is recommended because of it is low risk as it relates to the potential for causing outages and damages.

Moreover, traditional penetration testing services identify vulnerabilities, while realistic threat penetration testing services identify vulnerabilities and paths to compromise. A path to compromise is a path available to a malicious attacker to breach an infrastructure, then access and exfiltrate (or manipulate) sensitive data. Organizations that know their paths to compromise can build effective, efficient, and targeted defenses, whereas organizations that don’t are often flying blind. In conclusion, the National Cybersecurity Strategy sets out a path to address complex threats and secure the promise of our digital future. As part of its approach, the Strategy seeks to build and enhance collaboration around five pillars, including defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals. Penetration testing is a critical tool that can help the Biden Administration achieve these objectives and secure the full benefits of a safe and secure digital ecosystem for all Americans.

Need help with your penetration testing needs? Contact Netragard Today.

Blog Posts

- For More Information -

We Protect You From People Like Us.

Karen Huggins

Chief Financial, HR and Admin Officer
Divider
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Divider
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Divider
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.