Penetration testing can contribute a lot to an organisation’s security by helping to identify potential weaknesses. But for it to be truly valuable, it needs to happen in the context of the business.
I asked Brian Honan, CEO of BH Consulting, to explain the value of pen testing and when it’s needed. “A pen test is a technical assessment of the vulnerabilities of a server, but it needs the business to tell you which server is most important. Pen testing without context, without proper scoping and without regular re-testing has little value,” he said.
Steps to do pen testing right
Some organisations feel they need to conduct a pen test because they have to comply with regulations like PCI, or to satisfy auditors, or because the board has asked for it. They’re often the worst places to start. To do it right, a business should:
- Dedicate appropriate budget and time to the test
- Carry out a proper scoping exercise first
- Set proper engagement parameters
- Run it regularly – preferably quarterly and more than just once a year
- Use pen testing to check new systems before they go into production.
Absent those key elements, the test will not fail as such, but the approach from the start is just to tick a box. That’s why a one-off test will tell you little about how secure a system is. “A pen test is only a point-in-time assessment of a particular system, and there are ways to game the test. We have done pen tests where a client told us ‘these systems are out of scope’ – but they would be in scope for a criminal,” said Brian.
Prioritising business risks
The reason for running a pen test before systems go into production is that criminals may target them once they are live. It’s especially important if the new system will be critical to the business. “The value of doing a good pen test within context of the business, is that it will identify vulnerabilities and issues that the organisation can prioritise based on the business impact,” said Brian.
Pen testing, though valuable, is only one element of good security. “Unfortunately, many people think that if they run a pen test against their website, and it finds nothing, therefore their security is OK,” Brian said. “Just because you have car insurance doesn’t mean you won’t have an accident. There are many other factors that come into play: road conditions, other drivers on the road, confidence and experience of the driver.”
Brian warned against the risk of using pen testing as a replacement for a comprehensive security programme. If organisations have limited budget, spending it on a pen test arguably won’t make them any more secure. “Just doing it once a year to keep an auditor happy is not the best approach. It’s not a replacement for a good security programme,” he said.