How Penetration Testing Helps Agencies Spot Overlooked Cyber Threats


Security officials said the “ethical hacking” practice has been critical in helping them identify unseen risks.

Penetration testing—allowing trusted sources to simulate cyberattacks to assess computer network and system security—is proving to be a vital practice that helps agencies identify risks before bad actors can exploit them, federal security officials said Thursday.

“Really critically and importantly, what [penetration testing] has done is given us a much better sense of what are the things we need to focus on and where are the control areas that we really have weaknesses,” Adrian Monza, cyber defense branch chief of the Homeland Security Department’s U.S. Citizen and Immigration Services said at a GovernmentCIO cyber forum in Arlington, Va.

Monza explained that he has a number of penetration testers on his team, who he fondly looks to as his internal hackers. Working across a variety of the agency’s systems, Monza said the creativity they bring to recognizing risk has helped insiders find new threats that were never identified before. 

“I will tell you that the results that we have seen from that have been just illuminating,” Monza said. 

He added that USCIS has also deployed penetration tests on the particular types of IoT equipment that the agency uses. Monza said the testers have already identified serious vulnerabilities in hardware that they “responsibly disclosed” to the actual manufacturers.  

The threats were quickly and efficiently resolved. 

“It’s a good example of how penetration testing can really make you substantially more secure,” he said. 

Wanda Jones-Heath, chief information security officer for the Air Force, highlighted how her agency is also using penetration tests. She said her acting chief information officer, Bill Marion, is forward-thinking when it comes to addressing threats, and importantly, is adamant about taking risks when it comes to implementing modernization or cybersecurity practices. 

“He is not risk-averse—he is trying to ensure that we are doing things smartly. The old ways are just not producing what we want to,” she said. “We found that in the paperwork, or when you go through the traditional process with risk management, it's just not catching all the vulnerabilities that we know are out there.”

Jones-Heath said now that the service conducted penetration testing on their critical assets and spotted the bugs and vulnerabilities in its systems, officials are shifting the focus to targets across their various programs. 

“We begin with modernizing, then perhaps we can ensure that we are catching those vulnerabilities and closing those doors,” she said. 

But the Federal Bureau of Investigation’s Senior IT Security Advisor Manuel Castillo said in his two decades of experience he’s seen far too many instances where officials have instituted the tests and identified serious vulnerabilities, but then did nothing to actually mitigate them. 

“So if you are going to do it—fix it,” he said.