What Do Nonprofits Need to Know About Penetration Testing?
Nonprofit Cybersecurity expert and Community IT CTO Matt Eshleman explains what penetration testing is, why some nonprofits may need it, and why other nonprofits may not, or may not need it until after a basic assessment and vulnerability scanning.
Do you have someone urging you to get expensive pen testing, and you aren’t sure if you really need it, or if it is just checking a box on an insurance form? This podcast should give you more information on what the pen test tests, and how to match your investment in cybersecurity to your nonprofits’ risks and needs.
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Takeaways on Pen Testing for Nonprofit Cybersecurity
What is penetration testing?
- When nonprofits hosted a server on premises, penetration testing was a step that could be taken to look for vulnerabilities such as open ports on the local network.
- Pen testing, as the name implies, involves finding vulnerabilities and exploiting those openings to show how far into your system a hacker could get. Usually a pen testing company will provide a long and very technical report about the client’s cybersecurity configurations.
- Now that most nonprofits are working in the cloud, there is less to test in a pen test. Vulnerability scanning and a basic assessment can usually create a more valuable list of vulnerabilities and remediation suggestions, for a more affordable price. An assessment will provide a more comprehensive and holistic report on the cybersecurity practices at your nonprofit.
- If you have been told you “need” to have a pen test, make sure you understand why and the ROI return on investment the pen test is expected to provide.
- Pen testing has definite value, but that value is very specific to certain types of organizations; with on-site servers, and with certain technical needs and risks.
- The most likely source of compromise and fraud at most small- to mid-sized nonprofits is going to be malicious phishing email leading to wire fraud or compromised credentials. If you have a limited budget to put toward cybersecurity practices, it makes sense to invest in staff training to decrease the risks of clicking on a bad link, and “basic” cybersecurity to protect account credentials and user ID.
- In general, Community IT would recommend starting a cybersecurity improvement journey with a basic assessment, adding vulnerability scanning, and only after addressing any vulnerabilities discovered at that level, determining whether a pen test is a valuable tool to learn more about your system security and resilience.
Community IT hopes that we can provide trusted advice and guidelines for nonprofit safety and security. Your cybersecurity risks and needs will be individual to your nonprofit. If you have questions on pen testing, vulnerability scanning, and basic assessments, reach out and schedule a conversation or assessment with Matt.
Presenters
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 23 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.
She was happy to have this podcast conversation with Matt Eshleman about pen testing for nonprofit cybersecurity.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. We don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about recovering from a cybersecurity incident, you shouldn’t have to worry about understanding your provider.
If you have questions about cybersecurity, incident response planing, or business continuity, you can learn more about our approach and client services and contact us here.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Transcript
Carolyn Woodard: Welcome, everyone, to Community IT Innovators Technology Topics Podcast. I’m Carolyn Woodard, your host. And today I am talking with our Chief Technology Officer and cybersecurity guru, Matt Eshleman, about penetration testing. So Matt, would you like to introduce yourself?
Matthew Eshleman: Sure thing. It’s great to be with you. My name is Matthew Eshleman. I’m the Chief Technology Officer here at Community IT. And in my role, I’m responsible for setting our cybersecurity strategy and also managing our team that supports our over 8,000 endpoints that we manage for our clients.
Carolyn Woodard: This has come up a couple of different times and in different cybersecurity webinars and podcasts. And I think what I am hearing is that we, you could do an assessment and/or you can do penetration testing. And we recommend usually that you do the assessment first.
Matthew Eshleman: Yes, that’s correct, in terms of the priority of when you would do a penetration test versus some other cybersecurity controls.
What I’ve said for quite a long time is that, the penetration test really comes last. Because the penetration test, what it does is is going to, in the best of cases, it’s going to scan your local network, your on-premise network, identify vulnerabilities that you didn’t realize that you had, and then, exploit them and demonstrate to you how your network is still insecure.
So that’s in the best of cases, if you still have a traditional on-premise network, maybe you still have a couple servers in your office, your organization is larger? You still have an on-prem or even a cloud server environment. The penetration tests are really designed for, and they were built up to assess, target, and exploit those physical, traditional physical server network environment.
And so in the best of cases, the pen test provider will often, they will put an appliance on your network, there’s some sort of customized version of Linux that has all these specialized tools that can scan and exploit and do all this stuff on your local network.
And as a result, they will generate a very thorough report that says, hey, here’s all the things that we did as part of our penetration test. We tried this, we tried this, we tried this technique. All that, we figured out, we found some credentials, we use those credentials to log into this network share, and then we did a search, and then we found this information, and then we set up a fake DNS server, and then we spoofed somebody’s account, and then we stole your domain account, and now we’re super admins on your network.
So in that case, if you have a big network, you’ve invested a lot in proactive security tools, it can be really helpful to get somebody who’s really focused on breaking into your network to show you what a malicious actor would do, and then you can usually implement some additional controls, maybe tweak some settings, update some different policies to address weaknesses, and then you get this really helpful feedback loop where somebody’s actively testing your network.
Pen Testing Organizations Using Cloud Technology Isn’t As Useful
What we’ve found as organizations have moved to the cloud, been more virtual, that traditional pen test just isn’t really relevant anymore.
If you’re an organization that even if you do have a physical office space that people are coming to, if all of your IT services are in the cloud, there is no on-prem server, there’s nothing really to test and to exploit. And so in those cases, the pen test people still have the same methodology. They will put something local in the network, they’ll try to do some scanning, but there’s nothing really to target.
And in the same way, they will not, in most cases, pen test or target Office 365 or Google Workspace, they’re not going to try to break in to those systems. Because one, it’s futile. I mean, and two, the rules of engagement for targeting public cloud infrastructure. They don’t want to run afoul of Microsoft or Google for doing nefarious things or and so and getting blocked or doing some other things.
So, the pen test, as it has traditionally been offered, doesn’t really transition into our new contemporary world where organizations are smaller, they’re virtual, everything’s in the cloud.
And so, when the pen test requirement shows up, we use Center for Internet Security as a framework for evaluation. Doing a pen test is recommendation number 18. It’s at the bottom of the list. And you should keep it there, because investing in other areas of IT improvement or cybersecurity controls gives you the most value and only after you’ve really exhausted all of the improvements and policies and systems to protect your network, then you may get value from testing it. But it’s really the last thing, the icing, the cherry on top after you’ve done all the other pieces to protect your network.
So that’s why I would advocate for, spending money investing in your network is really important. But I would save that investment for a pen test until you’ve really done all the other things that are on your remediation roadmap.
Pen Testing Costs and ROI
Carolyn Woodard: I think you talked about it to me once before of if you do the pen test first, it’s just going to show you the things that are missing, that you could have learned other less expensive ways.
Matthew Eshleman: Yes. Yeah, exactly. So as part of our assessment methodology, we have two different products, so to speak. So we have a core assessment, which we’ve developed. It’s our best practices. It’s really tailored towards small and medium sized nonprofits. There’s eight areas. It’s very tactical, a best practices view, this, this, this, this, this, this, this. How are these things set up and configured? That’s where you could start.
Moving up from there, we have our comprehensive assessment, which we do based off that, the Center for Internet Security. There’s 18 control areas, 153 different controls to look at. Much more extensive.
So that can be a big policy exercise. So there’s a lot of policy questions that are part of that. In addition to all the questions about, do you have a policy to govern inventory management or your data workflow? Those are all policy questions in the CIS framework.
We also would typically deploy a vulnerability scanning agent to all devices in the network. And so that is helpful because it can scan the system. And then through those vulnerability scans, you can identify, oh, these systems maybe aren’t up to date on patching. Maybe there’s a problem with the current patch mechanism. So we find out, oh, operating system patching on these systems isn’t working as well as it should. Or the vulnerability scanning agent will identify oh, there’s out-of-date software that is installed that may be able to be exploited. Or there’s open ports on the network. Oh, we see there’s a copier that has an open port, and somebody could log in to the copier and see what people have saved locally.
So all of those things are really helpful from the vulnerability scanning agent perspective. It can identify those weaknesses. In a PEN test, they would start with that vulnerability scan and then take the next step to exploit it.
In our assessment, we’re identifying those weaknesses and presenting them.
At the end of the day, you’re probably going to remediate whatever vulnerability scan, whatever it reveals. The difference is in the PEN test, they’ll go all the way to say, oh, we found this vulnerability, we exploited it, and we extracted data or demonstrated that we could extract data.
And so it is funny, those extra couple steps end up being pretty expensive to do, because it does require specialized skill and training to do those things. But at the end of the day, from a remediation perspective, if you identify a vulnerability, you’re probably going to remediate it.
Carolyn Woodard: Yeah, that makes sense. And I’m glad you talked about cost, because I think that’s another thing that comes up, is that the pen testing can be very expensive. And then just an assessment or assessment with the vulnerability scanning, as you were talking about, would generally be less expensive and would show you the same things that you need to correct before, so that you’re not exposed.
Pen Testing for Nonprofits: Real Needs vs Buzz
Can you talk just a little bit to wrap up about why is pen testing such a buzzy word? Why do nonprofits come to us saying, oh, I need pen testing? Can you help me set up pen testing? And I mean, we’re trying to counteract that a little bit now. But why do nonprofits hear about it and think that they need it?
Matthew Eshleman: I think a lot of it is rooted in this formal cybersecurity control frameworks that are really coming out of government or big enterprise that say, you must do this pen test thing. And so a little bit, that rolls down hill. For organizations that do have on-prem server infrastructure, I think it still is a helpful and relevant service to pursue.
I think the problem is, is that that pen test, it shows up as a recommendation, you must do a pen test. And so everybody says, okay, so you just do a pen test to check the box, so to speak. But, as I said, if you’re an organization that’s all virtual, that’s all in the cloud, there’s nothing to test that you can really get value out of.
And so what we are seeing is that some of these security vendors have pivoted a little bit, so they will offer a configuration review. So they will look at your Google environment or your Microsoft environment or your Okta, and say, here’s the best practices configuration, and here’s the gap for what you should have and here’s what you do have. And so I think those configuration reviews can be helpful. Again, they probably end up being a little bit less expensive.
I think the other thing that is appealing about the pen test is it taps into our desire to have this idea that we need the super secret, super sophisticated assessment of our network, and it looks cool, and they use the command line with green font, and it feels very, I don’t know, hackery. And so it has some mystique about it.
And I think because of the mystique, it can command a big price because it can be sophisticated. It’s not really clear what’s going on or how they’re doing it. And so the price ends up being really high because it’s hard to distinguish one thing from another. And so I think there’s a premium that gets charged for those pen tests.
And again, I think it does tap into our desire to be, oh, it validates that fear that there are these hackers out there that are trying to get us. And so, okay, now we have a report that we paid somebody to do for us that validates that fear.
Carolyn Woodard: We can say we did everything. We had someone actually break into our network and now we know how they would do it. That makes sense.
Cyber Liability Insurance for Nonprofits
Is it also cyber liability insurance? Do they sometimes have that on a checklist? And, do we really need to do that?
Matthew Eshleman: So I think we’re starting to see that. I think from a cyber liability insurance form, I’m not seeing that as a required control on every application. I think for some, there are certainly requirements, I think probably depending on the size of your organization as well. I think that also drives it.
I think the insurance companies are really driven by their actuarial data to say, okay, what are the factors that contribute to risk for organizations? And if you have on-prem server infrastructure with files and everything, you’re at a much higher risk for those ransomware attacks that cost money and are expensive to remediate. And so that probably drives it in those cases.
Again, if you are in conversations with your insurance broker and you’re, hey, we’re all in the cloud and we’re using 2FA. And so, that’s all, that’s all, a lot easier, to protect against.
Carolyn Woodard: So I guess to wrap it up, we would say if you are in a situation, you know what your cybersecurity status is, you have on-premises equipment, servers that you need to be protecting, maybe often if you’re in a larger organization. So you are aware of what your cybersecurity needs are. In that case, and you can afford it, a pen testing might be a good way to finish off doing a review.
But if you are not aware of your cybersecurity status, you are all in the cloud, maybe you’re starting a cybersecurity journey. You want to know what you have, what you need to upgrade, what you need to change to protect yourself better. Start with an assessment.
Matthew Eshleman: Yeah. Yeah. I mean, the assessment is going to be more comprehensive and probably more targeted towards providing a more practical and developed road map. The pen test is going to be very specific. It’s going to be very technical. And, I think just, providing a slice or a window into the network that, that again is very technical.
From a pure risk perspective? The most likely scenario that organizations are going to face is that somebody gets a malicious email that they click on and that they give their password away or the credentials get stolen and or they’re socially engineered out of credentials or bank information or gift cards. And so that’s the most likely thing that’s going to happen for most organizations.
And a pen test doesn’t address any of those things. It’s about what changes do you need to make to your physical network infrastructure to make it harder for a hacker to target? And those things happen, for sure.
But, at Community IT, knock on wood or as a result of the networks we support and the product of our nature, we haven’t had a ransomware case in our client environment for, I don’t know, six or eight years. It’s a long time. But we definitely have compromised accounts regularly. And so we need to invest in where the risk is.
Carolyn Woodard: To choose your battles.
Matthew Eshleman: Yeah. Yeah. Because there’s no shortage of things to spend money on. And I’m not against spending money on cybersecurity solutions, but you got to make smart investments for the limited IT resources that you have. And a pen test, again, can be a really helpful tool after you’ve invested in all the other areas.
Carolyn Woodard: It can add value. We don’t want to say it doesn’t have value. It has a lot of value, but you want to match that to your needs.
Matthew Eshleman: Exactly.
Carolyn Woodard: Well, thank you, Matt, so much for explaining it to us. That was very, very helpful. Thank you.
Matthew Eshleman: You’re welcome.