I am fortunate to have customers that ask us to conduct penetration testing for them. I enjoy the work and look forward to it. But there are a few questions that I need to ask before providing a Scope of Work and cost for a penetration test. Here are a few.
- Do you have a security program? If so, have you addressed the findings from prior testing or Vulnerability Assessments?
- If we find a vulnerability, do you want us to exploit it and get a foothold on the system with the intention of moving further into your network?
- Are we testing production systems that can return to a normal operating state once exploited? If a web application is in scope, can we restore the database to the original state before testing?
I ask these questions because assessing the maturity and readiness of your organization’s Security Program is important. I want to know whether it will manage the results and possible effects of a full blown penetration test on their perimeter or other scope.
Some organizations have the resources and ability to act upon the results of a penetration test, but the majority of them do not. It’s usually a function of a lack of process, not a lack of technology, which prevents them from successfully responding to the results of a penetration test.
I tend to steer a customer towards a Vulnerability Assessment when they answer “No” to any of the above questions.
The Vulnerability Assessment allows our team to identify known issues and vulnerabilities. Our team will not exploit them to gain access, or a foothold, on the systems tested. We can certainly go and perform Proof of Concept attacks that are benign in nature and then show that our findings are valid. The level of effort needs to be addressed in the SOW and agreed upon by all parties involved.
A Vulnerability Assessment helps organizations determine gaps within their Security and Vulnerability Management Program and gives them guidance for improving their whole security program. If the results of the testing identify hundreds or thousands of findings, consider it a symptom of a breakdown in your Security Program. Remediation has to occur at the process level for long term success. I have been a part of huge campaigns to deploy patches and configuration changes, and I know that reactive, unmanaged security doesn’t work.
Penetration Tests allow an organization to test technology that is, hopefully, backed by a good security practice. Ideally, you’ll have implemented Configuration Management, Vulnerability Management, Backup Procedures, and Detective and Preventive Measures. If so, you’ll want to test it within the context of your Security Program. If we leverage a successful attack, you should have the ability to address the issues you overlooked. While the above seems idyllic for many organizations, it’s something they need to strive for.
Penetration Testing and the Vulnerability Assessments hold value for your organization. Remember, they are distinct services. The maturity of your organization’s Security Program will determine which assessment is most appropriate. For organizations that have begun formalizing a Security Program, I suggest you take a step back, evaluate your Security Program, determine whether it is capable of addressing security findings through People, Process, and Technology, and then leverage Vulnerability Assessments, technical and non-technical, to gain assurance that your program is working. Once you are comfortable with your Security Program, you’re ready for a Penetration Test . Have at it!