PenTesting meets EAM – nightmare for hackers, rescue for IT

How companies are finally making their IT strategy secure and sustainable with the combination of architecture management and pen testing

Every week, companies are hacked and found to have inadequate IT security. How can the strategic combination of EAM and PenTesting help?

In the never-ending race for protection, security precautions and shielding, pen testing is considered to be the pinnacle discipline of IT testing. Nevertheless, hackers are increasingly having an easy time as invisible adversaries. In our digitalised world, which has become almost completely dependent on the internet since the Covid-19 pandemic, the same questions are asked again and again: How could this happen? Who is responsible? Why did it hit us – and why not the competition? The digital obscurity leaves no traces visible to the eye. More and more companies feel backed into a corner, knowing that the question is not whether they will be hacked, but when. Is there really no way out? Or should the question rather be: How is it that companies keep implementing insecure systems, buggy components and unpatched software that end up being responsible for negative headlines, broken customer trust and loss of market share? (At the time of writing, many companies were affected by the Log4j Zero Day Gap)

Digital Native vs. Digital Naive

We need to understand how long, complicated and analogue the history of many companies is. Today, long-established companies consist of structures that are somewhat fragmented due to acquisitions, changing product portfolios and historical processes. Internal hygiene measures, one could also say “tidying up”, usually have no direct added value for management. Department heads and divisional managers come and go – the employee who has worked for a division for 30 years and is considered indispensable there is rarely to be found. As a result, the quality of the handover of areas and responsibilities decreases, because everyone is only on board for their environment for a short time and focusses largely on figures, data and facts – i.e. costs and efficiency, because employees in management positions are often simply not rewarded for particularly forward-looking ways of thinking. However, even the top start-up valued at several billion is not automatically in a better position. Regardless of whether it is a certain naivety towards digital structures in the long-established company or the digital native start-up where there is no longer a piece of paper: As long as high speed is rewarded more than a certain thoroughness, even modern companies that may only be a few years old are quickly a reorganisation case. And if it weren’t for external audits by TÜV, BaFin and the like, hardly anyone would notice.

From audit to audit – why documentation is never up to date

Almost every company is subject to some kind of recurring audit. Whether it’s quality according to ISO 9001, IT security according to ISO 27001 or hundreds of industry-specific standards. The aim of standardisation has always been to ensure compatibility with and between standards, as well as trust and sustainability. A4 paper, a USB cable or common data formats: Everything has its fixed framework and must fit together. So there comes a time in every company when an auditor checks conformity with standards. For around a decade, IT has also been increasingly scrutinised in this context – from end users and their desks to production and external employees. However, very basic documentation on processes and data streams must also be maintained. Depending on the criticality for the security of public life, companies categorised as critical infrastructure protection (KRITIS) have to meet even more stringent requirements.

One might think that such recurring audits would automatically lead to proper documentation of processes, IT systems and data flows. The reality shows: In most companies, it is only just before the audit by TÜV, BaFin or the authorities that they think about taking action here – again and again. In a typical 2-4 year cycle, this quickly results in a snapshot that is just good enough for the audit and is already outdated after a few weeks. If projects and measures are based on this outdated documentation, they fail or produce non-functional results. Does it have to be like this and stay like this forever?

Breaking the vicious circle – establishing active documentation

Fortunately, many companies have realised that things can’t go on like this. At a time when the need for cyber insurance and the avoidance of intent and negligence has become a top issue in the boardroom, methods and tools have been developed that now ensure sustainable change. Nobody wants to end up being accused of not having taken a close look and ending up with a million-euro lawsuit on their hands.

It starts with doing the right things when planning an operational infrastructure consisting of IT, processes and data. What used to be the use of standardised, efficient technologies is now primarily the consideration of risks. IT systems and infrastructures at leading companies are no longer planned solely from a technological perspective, but are also evaluated taking into account security factors such as CVEs (naming conventions for security vulnerabilities) and the manufacturer’s experience in eliminating vulnerabilities. Only when a system is not only technically functional, but has also been analysed in terms of all risks such as availability, security and vulnerability, is it approved for operation. At the same time, those responsible ensure that the documentation is carried out in systems that enable holistic analyses of various data sources. As a result, the discipline of Enterprise Architecture Management (EAM) has increasingly evolved from pure IT planning and strategy work into a central point for an overall view of IT, risks, capabilities, responsibilities and products. Modern solutions offer open interfaces for various integrations in order to aggregate data automatically or even in real time rather than manually. In this way, entire simulations of future company structures can be mapped and measured.

Maximum security: EAM meets IT security and pentesting

So what does the unbreakable company look like? Which areas need to interact optimally? The inclusion of IT security in EAM is already standard in many companies. Whereas 10 years ago the focus was on costs, efficiency and avoiding complexity, today the security factor is far more important. This is where the penetration tester comes into play: until some time ago, they were still seen as “the nice hacker who is on the right side” and engaged as a recurring tester of security systems, but now their tasks are ideally part of forward-looking planning. Successful organisations use the knowledge, methods and insights to harden their planned systems as they are created and actively manage the risk of any changes. Together with IT security, this results in an advantage that can really spoil the day for attackers: Internally and externally tested security, hacking methods paired with the company’s specialised knowledge and the resulting continuous improvement.

You could almost get the impression that fundamental virtues are being revived in the ever-increasing complexity of IT, the digital world and corporate structures. Forward thinking, a stronger focus on testing functional security, more time for planning and sustainable collaboration. Few disciplines now have such a unique opportunity to become the link between the different parts of the organisation as EAM. Companies that miss this opportunity and end up in the press as hacked in the coming weeks are often damaged forever after weeks of production downtime. The combination of penetration testing, process documentation and EAM is therefore the key to reliable planning, efficient operationalisation and a sustainable strategy.

Philipp Schneidenbach ist Experte auf den Gebieten Enterprise Architecture, Governance, Risk und Compliance. In seiner derzeitigen Position bei Materna vereint er die Erfahrung aus mehr als 25 Jahren Beratung und Linienverantwortung in verschiedenen Industriezweigen und Märkten. Als Autor, Researcher und Speaker engagiert er sich unter anderem in Organisationen und Berufsverbänden wie der IEEE, ISACA und MoreThanDigital.

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More