Five things any business owner should know about penetration testing

March 17, 2010

Penetration testing is part mystique, part business tool. Tell people at the local watering hole that you are an ethical hacker, and that you hack networks at their owner’s request to identify security vulnerabilities and assist them with remediation, and they start looking at you funny. Go ahead, try it sometimes. It’s fun. You’ll also notice that they never quite hear the word “ethical” on the first try!

But beyond this, a penetration test is a very useful business tool, yet there are still many misunderstandings about it. So without further ado, let’s quickly review the five things that any business owner should know about penetration testing.

1. What is a penetration test?

A pen test is a business tool through which you can evaluate the point-in-time security posture of a target host or environment. In plain English, it means that you can define how secure a computer or a network would be against a malicious hacker’s attacks. Because the pen tester will use real world tools and tactics against the target scope, it replicates what real attacks would put your network through and provides realistic and valuable test findings.

2. Not all pen tests are created equal.

The pen test is only as valuable as the pen tester who conducted it is experienced. While there are many script kiddies out there – i.e. malicious hackers who use ready-made tools they downloaded from the Internet with little understanding of what they do or how they do it – there are also very powerful and knowledgeable hackers whose techniques, dedication, skills and intelligence are remarkable. For the pen test to have any meaning, and therefore any business value, you want to make sure that the pen tester is also someone whose talents and skills in the trade are well documented.

A “bad pen test” with results that shouldn’t be trusted is probably more dangerous to an organization than no pen test at all!

Another important difference between pen tests in terms of value resides in the quality and usefulness of the deliverables. Simply put, the report with which you are presented should be a useful business tool. Make sure that it addresses all the relevant audiences in your organization, that it is not an unwieldy 100-pound, 1000-page behemoth and that it contains actionable remediation information.

3. How often should penetration tests be conducted?

The short answer is at least once a year, you should have both an internal and an external penetration test done.

Note that many organizations fall under different mandates, some at the state and/or federal level, others at the commercial level, that may dictate the actual regularity of when penetration tests should be conducted.

The reasonable, cost-effective solution seems to be to have one full-out pen test a year, followed by a smaller test 6 months later to verify that the remediation activities that took place after the large test were successfully carried out.

4. What are the different types of penetration tests?

A quick overview would single out the following types:

a. External Pen Test: because some of your computers are directly facing the Internet, they can be accessed both legitimately and maliciously from anywhere in the world, and are therefore more in danger than the computers that reside in your internal network. Typically, an external pen test will target your firewall(s), your web and mail servers, maybe a remote access server such as a VPN concentrator, etc… the idea here is that anyone, anywhere can at anytime probe these servers to determine whether they are plagued by vulnerabilities and can be taken over. If such vulnerabilities exist, you need to be aware of them as fast as possible so that you can proceed with appropriate remediation to remove the risk these vulnerabilities represent to your business.

b. Internal Pen Test: the FBI famously published statistics several years ago that showed that around 80% of all hacking attacks originated from inside companies, not outside. With that in mind, it’s important to make sure that those computers that are critical to the business are tested regularly.

c. Application Test: an app test is a security test that targets an application or program. The idea is to make sure that the data is always protected, whether it is at rest, in transit or being processed, that unauthorized users can’t get access to the data, and that authorized users cannot gain more access to the application and the data it contains than their security profile should allow.

d. Vulnerability Assessment: a VA is basically a Pen Test with a reduced scope. Indeed, the very first stage of a pen test includes all of the activities that make up a VA. The large difference is that the vulnerabilities that are identified in a VA are not tested, and therefore the report created to sum up the findings may include false positive findings. Note that because a VA takes a lot less time to be conducted than a pen test, they tend to also be a lot less expensive – but provide less value.

5. What business value can I expect to derive from a penetration tests?

There are several answers to this question – and they may not all be pertinent to all organizations.

a. Compliance: simply put, many organizations are mandated to have pen tests done every year.

b. Peace of mind: critical assets to your business should be tested. It allows you to not worry about being front page news as the next victim of a data breach.

c. Due diligence: if a breach does occur despite your best efforts, it is always productive to be able to show due diligence! Proving that reasonable efforts had been made prior to a hacking event always lowers the cost of dealing with the breach – and may also lower the actual loss of goodwill and reputation to the business.

d. Legal liability: your clients trust you with their information. If this information falls into the wrong hands, especially because of a data breach, you can expect law suits to be filed against your organization. As noted above, being able to demonstrate due diligence and reasonable security measures is always a plus. Furthermore, a federal regulation such as HITECH includes the possibility of criminal charges against negligent entities and their representatives in case of non-compliance.

There is a saying in the industry that the cost of having a pen test done is always lower than the risk of being in business without having one done regularly. While I could be perceived as a biased entity, I cannot help but agree. Not only because my firm provides ethical hacking services, but also because that statement is firmly grounded in common sense.

So… when’s the last time your network was tested? By an ethical hacker, that is…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: