Penetration testing is not always well understood by those
purchasing such services. It is my belief that organisations could
often obtain better value for money by considering other security
assessment techniques,writes Lee Newcombe, principal
consultant atCapgemini.
I describe the whole spectrum of penetration testing,
vulnerability assessment, configuration and process reviews as
security assessment. I use the term penetration testing in a purist
manner; a penetration test will attempt to circumvent the security
features of the system under test and then examine how far the
tester can extend their access into the target organisation. A
penetration test is not necessarily a comprehensive assessment of
the security of an organisation; one weakness is all the tester
needs.
Penetration tests can include logical, physical and personnel
aspects and may involve techniques such as social engineering. A
vulnerability assessment should attempt to identify all known
weaknesses within the assessment scope but should not attempt to
leverage identified weaknesses to penetrate into the organisation.
Exploitation may be required to verify the existence of the
vulnerabilities uncovered during a vulnerability assessment to
avoid the false positives often reported by automated tools.
Organisations must first understand the rationale underlying
their security assessment requirements before scoping any testing.
Is it to improve security? To raise awareness of the impact of a
compromise? To meet compliance requirements?
If the aim is to improve security, consider configuration
reviews (operating system, database, web server, firewalls, network
equipment, etc) and a process review - it is dull work, but
cost-effective and some testing firms charge less for this kind of
job.
Configuration reviews highlight infrastructure weaknesses
without the false positives/negatives associated with
misidentification of services by a remote unauthenticated scan.
They are great for improving infrastructure security, but when it
comes to application-level security, more active testing such as
penetration testing must be considered. Configuration reviews will
not detect input validation, session management or logic errors
within applications.
Raising awareness of the impact of a compromise among budget
holders is another sensible driver for a penetration test - in the
current climate pointing out that a tester obtained customer data
inside a day of testing may loosen a few purse strings.
If bringing in a testing provider, choose a reputable one - are
they registered under the
Check
or Crest schemes? Are
they a
QSA or
ASV if dealing with
PCI DSS
requirements? Do they have a history of security research and good
client references? Do they have a rigorous approach towards test
containment that reduces the risk of disruption? Can they
demonstrate the necessary specialist expertise if performing
application level assessments?
Good infrastructure testing skills do not imply any capability
to adequately check application-level security. If they use the
terms penetration testing and vulnerability assessment
interchangeably, run away fast.
A thorough understanding of security assessment techniques, and
strong relationships with trusted testing providers, are a vital
part of an effective overall security strategy. A poorly thought
out approach risks expensive testing that provides little real
assurance or worse, a great deal of false confidence.
Security Zone: read more advice from (ISC)2 qualified security
professionals >>