NCSC Shares Tips on How to Make a Pen Tester’s Job Harder

Written by

Secure-by-design systems, segmented networks, and logging and monitoring are among the best ways to defeat cyber adversaries, according to penetration testers.

That is according to the National Cyber Security Centre (NCSC), which explained in a blog post published on July 1, that it asked a group of pen testers it works with: “What can organizations do to make your job harder?”

Their responses could help security teams to improve the resilience of their systems to compromise.

Read more on pen testing: Trust in Automated AI Vulnerability Scanning Collapses to 9%, New Study Finds.

The pen testers quizzed by the NCSC said secure by design systems are a must because they make attacks more difficult to carry out, and ensure any discovered vulnerabilities are easier to remediate.

According to the NCSC, secure by design means:

  • Using threat modelling during the development process
  • Mandating strong authentication (phishing-resistant multi-factor authentication) for privileged users, which is opt out
  • Changing default passwords in tools
  • Validating input data as early as possible, and handling errors in a clear and secure way
  • Securely storing credentials and avoiding hard-coded credentials in the software
  • Protecting sensitive data at rest and in transit, if there’s a risk of unauthorized access

Segmenting and Logging

Pen testers also hate network segmentation, which could be achieved through high-level network design, the use of VLANs or firewalls, or management of users or groups with separate accounts for different network areas.

OT systems should be separated from IT networks, to prevent lateral movement and avoid loss of availability.

“Segmentation is not just about separating IT from OT; it is about controlling what crosses that boundary. Cross-domain thinking helps define zones of trust and tightly manage data flows between them,” the NCSC continued.

“Secure OT connectivity should minimize exposed connections, standardize access routes, and harden boundaries, while privileged access workstations (PAWs) provide trusted devices for privileged administration, reducing shortcuts and making lateral movement harder.”

Finally, good quality logging, monitoring and investigation makes a pen tester’s (and therefore a malicious hacker’s) job harder.

“We can’t stress enough that even the best logging and monitoring capability is useless unless an organization collects the right data, and responds to that data in the right way,” the NCSC concluded. “Make sure that alerts are properly investigated, and that incident response plans are built, regularly communicated, and exercised with your teams.”

What’s Hot on Infosecurity Magazine?