CAVEAT: The views and opinions expressed in this essay are solely those of the author, and may not necessarily be the views and opinions of all CyberPoint owners or employees; but they SHOULD be!
"If the minimum weren't good enough, it wouldn't be the minimum."
It's not just a rationalization of laziness. It's often the correct approach to compliance with externally mandated cyber security requirements.
We've learned a lot of lessons at CyberPoint regarding The Minimum in competing for and executing cyber assessments and cyber penetration tests.
The Early Days: Technology Focus.
In the early days, we jumped on the chance to respond with a proposal to anyone who needed assessments and pen tests. Our elite team of serious world-class experts wanted to do it "right" — to deliver the kind of real value that only true technical experts could.
We would plan to scour and analyze as-is network diagrams, agree to detailed Rules of Engagement appropriate for stealthy, sophisticated red team attacks before engaging, and then use powerful custom tools for network discovery (to find just how inevitably wrong those network diagrams were), vulnerability discovery, and selected benign proofs of exploitability, sourced external and internal to the customer network. We'd firm price bid an 8-hour day, and plan to work 16. After the tests, our experts planned a comprehensive report to identify risks, and discern and document a prioritized list of specific remediation activities to reduce risk consistent with the customer's available resources. Etc. Wow! We even gave sanitized versions of previous engagement documents to exemplify the great results they could expect.
Alas, more often than not, when the motivation was compliance, the potential customer bought what they could afford, that which met the threshold of compliance: The Minimum.
What's The Minimum? It's the industry de facto standard: a simple scan of the network using a commodity tool, searching for unidentified computing objects and published Common Vulnerabilities which are exposed when patches and versions aren't up to date. That simple scan is done, competently, by a newly-minted technician, with a fresh "Certified Ethical Hacker" certificate earned after a full week of experience at an industry boot camp. The report is timely, as it pops right out of the commodity tool at the press of a button. There! Poof! Done!
We learned that the customer who needs to do assessments and pen tests to meet compliance requirements genuinely cares about the covered corporate assets, and would like the kind of thorough analysis, discovery, assessment, and risk-based prioritized remediation activities provided by serious experts. But at 2X or 3X the price of The Minimum, budget pressures dictate purchasing The Minimum. The Minimum. Cheap, quick, check the compliance box and move on.
Lesson Learned: A Mission Focus — Protecting What's Invaluable to You — Might Just Be The Minimum!
We learned that The Minimum is not all that bad. For many organizations, The Minimum reveals serious issues that can be fixed at relatively low cost. When you're first deploying cyber security, or being as frugal as possible, The Minimum helps identify the low-hanging fruit with tasty payoff, greatly enhancing the protection of what's invaluable to you.
And for some organizations an untimely finding of cyber risks beyond The Minimum is not necessarily a good thing.
If you've been hacked just before closing the deal to sell your company, and need to assess and remediate that specific risk; you may not want a laundry list of all the other vulnerabilities to future, more sophisticated attacks that you'd have to disclose to your potential buyer. (Buyer beware: sold "as-is!")
If your regulatory environment is fraught with ill-definition or uncertainty, or you have potentially litigious shareholders, you don't want deep, documented insights into niche vulnerabilities that you might be forced to pay scarce dollars to fix as part of "due diligence" to prevent a future lawsuit.
Those organizations are protecting their invaluable resources from going down high-visibility, Chicken Little "The Sky is Falling!" low-value drains.
Beyond The Minimum
When do you go beyond commodity services, The Minimum, to the application of the art of cyber security by proven experts?
You seriously want to test your networks against the kind and level of threat that comes from sophisticated, determined adversaries, the Advanced Persistent Threat (APT). For you, The Minimum isn't good enough — you need true cyber security experts who'll dig deep, and you know your internal cyber security operations team will significantly benefit from the deep insights and prioritized, actionable recommendations that result.
You understand your risk tolerance, have assets (monetary, operations, reputation) that are invaluable and demand protection, and want to apply a sound, quantitative management approach to deciding how much to spend on cyber security remediation, and where to spend it.
You're thinking of acquiring another firm and you want to seriously assess their current cyber security posture, so you can evaluate the associated risks and potential hidden future costs of operating and integrating the acquired cyber infrastructure.
Or you lived at The Minimum, kept your versions and patches up to date, but still got pwned by the APT bad guys. Now you want a serious upgrade in your cyber security posture.
That's when you call CyberPoint, when it's time to do it "right."
That's when you want the best of the good guys on your team. Forget the pushbutton tenderfoot greenhorn cyber-cowboys, and call in the pros: experienced, expert, efficient — certified and proven not by a Saturday morning test of commodity knowledge, but through years of blood, sweat, and winning in cyber network operations.