Thursday, 19 July 2012

The Purpose of Pen-Testing

The purpose of pen-testing is simple: to find security flaws before an external or malicious internal party does.

How effective the process is at doing this is debatable, but the purpose remains the same nether the less.

After applying their security policies, procedures, and technology, organizations can use thorough penetration tests to see how effective their security really is in light of an actual attack, albeit by friendly attackers.

The scope does mean that an attack from an external party will be different to a pen test and the quality of the tester is important. An added benefit of ethical hacking and penetration testing is that, because they show real vulnerabilities and indicate what a malicious attacker might be capable of achieving, they can get management’s attention. Decision makers, when presented with the carefully formulated results of a test in business terms, are more likely to provide resources and attention to improve the security stance of an organization.

If a double blind test is used, the test can act as a validation of the Incident Handling process with the people monitoring the site having no notice of the test and thus being tested themself.

A major goal of penetration testing and ethical hacking is discovering flaws so that they can be remediated (by applying patches, reconfiguring systems, altering the architecture, changing processes, etc.).

It is important to note that in most tests, not all of the discovered vulnerabilities are actually addressed!

A common recommendation is that all high-risk vulnerabilities be addressed in a timely fashion, but the truth is that some vulnerabilities linger long after a test is complete, even high-risk issues. Remember, information security is all about managing risk, not eliminating it.

No comments: