News

penetration testing
Cyber Security

The Value of Penetration Testing

Fri, 07/11/2014 - 16:54

What is a Penetration Testing?

Penetration Testing is a cyber security practice during which some trusted party attempts to detect and exploit weaknesses in the targets' security. The targets can be infrastructure (firewall, router, servers, etc.), applications and data / intellectual property.

The simplest form of penetration test is the vanilla vulnerability scan. Using a tool like Nessus, you can automatically scan a host for the presence of different known vulnerabilities.

A proper penetration test does not stop at simply uncovering vulnerabilities: it goes the next step to actively exploit those vulnerabilities in order to prove (or disprove) real-world attack vectors against an organization’s IT assets, data, humans, and/or physical security.

While a penetration test may involve use of automated tools and process frameworks, the focus is ultimately on the individual or team of penetration testers, the experience they bring to the test, and the skills they leverage in the context of an active attack on your organization. This can’t be over-emphasized. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies are often vulnerable to the unique nature of the human mind, which can think laterally and outside of the box, can both analyze and synthesize, and is armed with motive and determination.

The Heart of the Matter

A penetration test is designed to answer the question: “What is the real-world effectiveness of my existing security controls against an active, human, skilled attacker?” We can contrast this with security or compliance audits that check for the existence of required controls and their correct configurations, by establishing a simple scenario: Even a 100% compliant organization may still be vulnerable in the real world against a skilled human threat agent.

A penetration test allows for multiple attack vectors to be explored against the same target. Often it is the combination of information or vulnerabilities across different systems that will lead to a successful compromise. While there are examples of penetration testing that limit their scope to only one target via one vector (example, a web application pen test conducted only from the point of view of the Internet browser), their results should always be taken with a grain of salt: while the test may have provided valuable results, its results are only useful within the same context the test was conducted. Put another way, limiting scope and vector yields limited real-world understanding of security risk.

A good penetration tester is like a chess player, he is able to respond to situations and change strategy on the fly. The tools, then, are just part of the tactics.


What is the Value of a Penetration Test?

Here are a few of the reasons organizations invest in penetration testing:
1. Determine the feasibility of a particular set of cyber attack vectors;
2. Identify higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence;
3. Identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software;
4. Assess the magnitude of potential business, operational and technological impacts of successful cyber attacks;
5. Test the ability of defenders (IT and non-IT) to successfully detect and respond to the cyber attacks;
6. Provide evidence to support increased investments in cyber security personnel and technology to C-level management, investors, and customers;
7. Meet compliance (for example: the Payment Card Industry Data Security Standard (PCI DSS) requires both annual and ongoing penetration testing (after any system changes);
8. Post security incident, an organization needs to determine the vectors that were used to gain access to a compromised system (or entire network). Combined with forensic analysis, a penetration test is often used to re-create the attack chain, or else to validate that new security controls put in place will thwart a similar attack in the future.