The Key to a Successful Penetration Test
- Sep 16, 2014
- Michael Tucker
With the time, effort and resources that companies dedicate to penetration testing, it can be frustrating (at best) to not be guaranteed a successful outcome. Your organization may be trying to address the challenges of the consumerization of IT and bring-your-own movements, the shift to cloud computing, or simply trying to achieve regulatory compliance. Penetration testing allows you to understand where you need to focus your attention by determining the feasibility of a particular set of attack vectors. So what is the key to a successful penetration test?
You should have a clear reason and objective for penetration testing. We encourage the customers we work with to scope a penetration test from a risk-based and asset-focused perspective. It’s possible to get wrapped up in the technical ways exploit a vulnerability but that’s really a red herring. Instead, focus on the bigger picture of discovering where the business risk is greatest. This means defining the appropriate scope for the penetration test and determining how well your security policies and controls are actually working. Remember, simply putting a check box for pentesting to meet compliance requirements can lead to a false sense of security. See “Avoid this mistake when sourcing a penetration test.”
Project scope is intrinsically related to your business goals. It is surprising how many penetration testing requests are scoped to cover the entire IT infrastructure, spanning hundreds or thousands of devices. While that may be theoretically possible, it is generally not feasible. The reason is that a penetration test simulates a real-world attack, which requires a person at a computer actively attempting to exploit vulnerabilities and gain access to system resources. The costs associated with a penetration test across a very large number of devices can be prohibitive. That’s why it makes most sense to define a scope that includes critical information assets and business transaction processing.
You need to gain the support and commitment for penetration testing from company leadership. A penetration test will potentially require the diligence and participation of employees across multiple areas of the business. It is vital that everyday operations of your organization will not be disrupted during the process of a penetration test. Moreover, remediation of vulnerabilities (post pentest) will need to be thoroughly tested before being implemented in a production environment.
Penetration testing should not be a one-time exercise, and successive results should be compared. Are there recurring vulnerabilities? Perhaps your process for software patching program isn’t working as it should? Are there systems or departments that are showing up repeatedly with persistent threats?
The key to a successful penetration test? Adequate preparation. To learn more about all aspects of a penetration test you’ll be satisfied with, please download the Best Practices Guide: Penetration Testing