Why Your Penetration Test Might Suck
Penetration testing has become a term synonymous with information security.
Often the stuff of legends, penetration testers spin tales of breaking bank vaults and cracking wireless networks, of perforating firewalls and “rooting” servers. One by one companies fall to white hat hackers armed with Metasploit and cases of Mountain Dew.
The problem with penetration testing is that in many cases, it’s not doing the client organization any good. It may seem odd that something as popular as pentests could be doing so little for companies that perform them, but there are many reasons why this is true.
Here are just a few:
- Compliance Takes Priority – Organizations in banking, healthcare and critical infrastructure, among other industries are required to perform annual penetration testing. But they aren’t required to care about the results and they aren’t required to be secure. Getting your penetration test checkbox doesn’t require much, and many organizations aim low and still miss the ten ring.
- Clients Limit Test Scope – Many organizations become their own worst enemy by limiting the assets that are tested. By excluding the CEO from social engineering or cloud applications from SQL injections, some of the greatest vulnerabilities are left unexposed and subsequently unmitigated.
- Testing is Inconsistent – Any IT provider with a vulnerability scanner (yes a vulnerability scanner) can offer “penetration testing” services. Service definitions vary across providers, organizations and regulations. This inconsistency makes shopping for a pentest similar to shopping for a mattress – you’re usually comparing apples to orangutans. In the worst case testing results can give organizations a false sense of security.
- Testing is Unrealistic – If your security provider tells you that they’re going to “pentest your firewall”, do yourself a favor and end your contract. The kids from Romania aren’t going to pentest your firewall, so neither should your security provider. Good penetration testing should simulate a real-world attack. Sensitive assets like intellectual property, sensitive information and bank accounts should be targeted, just as they are in real life.
- It’s Not for Everyone – Pentests are great if the results are meaningful and useful. If your security defenses aren’t mature, there’s no sense turning them into swiss cheese just to prove that it’s possible. Instead, use that money for something productive like an assessment or an Incident Response Plan for when something bad happens for real.
If you’re looking for penetration testing standards, you may be surprised to know that there is little out there. NIST has provided some guidance around security testing, but there is only one small section on pentesting.
There is another emerging standard for penetration testing that is getting some attention. Called the Penetration Testing Execution Standard (PTES), it provides recommendations for exploitation, intelligence gathering and perhaps most importantly, reporting.
If you are about to embark on a penetration test, ask your security provider if they utilize these or other standards for testing. Also ask yourself what your goals are and if you’ve set yourself up to be successful.
Your pentest should be as realistic as possible without introducing unnecessary risk. It should target the things that are most important to you, and it should be performed without the knowledge of your organization so you can monitor how well they react to these situations. You should include all of your assets in the test unless there’s a compelling reason not to. Potential embarassment is not a compelling reason.
The security provider that you select should be knowledgeable and experienced. They should utilize a standard for security testing. They should know the difference between a vulnerability scan and a pentest. They should understand that the goal of the test is risk reduction, not legends and campfire stories.
And if you’re lucky, you’ll figure out where the holes are before some kids in Romania do.