Penetration Testing mailing list archives
RE: How would you describe the risk if a company doesn't do penetration tests?
From: "Frye, Dan" <Dan.Frye () cedarcrestone com>
Date: Thu, 17 Sep 2009 14:21:55 -0400
I had this same conversation recently internally with a few managers here. The way I approached it with them is the pen test is "a test of the technical controls, procedures, and processes which support the information security goals of the organization". So what does that mean? - On the technical side, by pentesting your network you find areas which are or are not being managed appropriately. As an example, say you've got a 30 day patch policy that all medium, high, and critical patches have to be applied to servers and apps. During the pentest, the testers find a few servers which are behind in patches by 60 days and then exploit them. Through that you can determine 1) that there are indeed mismanaged servers in the enterprise and 2) the downstream effects of those servers being compromised - does your defense strategy truly invovle multiple layers of security? Which one worked? Which one(s) didn't? - On the procedure side, you get to watch from the sidelines while your network/server/security teams attempt to track the reconnasaince activity and spot attacks. Did the IDP/IDS sensors work? How were they evaded? Were your network/security folks actually able to catch the activity? It's a real nice feeling when your network guys come up to you the next morning and say "hey, we got a bunch of hits last night on the IDP sensors and it looks like a structured attack - can we run this by you?" - On the process side, what happens when 1) a server was "breached" and 2) when a server wasn't "breached". Did the incident response process work? Was notification performed according to policy? Is more training required? A good example here is most organizations rarely test their incidnet response tools/capabilities outside of the normal virus/worm/forensics. When was the last time you actually ran a full "server X is breached" - go find out how, why, what they "stole"? Work with legal and mgmt to test their responses as well - was the breach notification process updated and actually working? And lastly, from a non-technical side, social engineering (which should be part of every pen test) - were the right processes followed by the helpdesk? Are there even procedures for reporting activity? What's the sensitivity level of the organization to SE attacks? A lot of these things you can never fully determine without a real incident. Structured appropriately, the pen tests can be a real good assessment of not only your point in time person X can hack us, but also identifies weaknesses in other areas of the enterprise well outside of just having some exploits run. My 2 cents. Dan -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Sebastiaan Sent: Thursday, September 17, 2009 7:55 AM To: pen-test () securityfocus com Subject: How would you describe the risk if a company doesn't do penetration tests? I'm currently doing an audit. Part of the audit scope is to audit the penetration testing methodologies that are used. Now for the risk/control matrix I have to come up with a good description of a risk of not having penetration tests done. We had discussions like this before on the list, basically concluding that pen-testing only shows you that that specific pen-tester can't hack into/harm your systems, etc.
From a complaince point of view they run the risk of not being
complaint (because of PCI, local law, etc) but I need a better, juicer "risk" description ;) ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Gorgon Beast (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Frye, Dan (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Trojacek (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? JoePete (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Cor Rosielle (Sep 22)
- Re: How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 22)