Maksim Kabakou - Fotolia

Security Think Tank: Penetration testing still relevant, but approach needs to change

How can an organisation ensure it gets value from penetration and security testing services?

Lurking in enterprise network packets are a host of potential threats: misconfigurations, human mistakes, poor security policies and other vulnerabilities that can all be exploited by attackers; and as we’ve seen over 2015, these attackers can be individuals, organised groups or even nation states.

Their ultimate goal is simple: to render useless the applications, servers and the network. 

To defeat them, organisations should conduct penetration tests on a regular basis and, for years, penetration and security testing were the mainstay for determining the security level of a company's digital infrastructure. However, as organisations come around to the uncomfortable truth that it is virtually impossible to be 100% effective at keeping hackers and advanced persistent threats out, more and more security pundits are questioning the effectiveness of this type of testing.

Despite the new permeable threat landscape they now operate in today, penetration and security testing remain highly relevant to organisations, if not more so than in previous years. However, to ensure value and efficiency, the traditional mix of tactical methods employed needs to change.

Security managers need permission from their respective companies to test live networks, and they need the right pen testing tools for the job. A prime example of such a change is that many tools with command-line interfaces now offer a graphical user interface (GUI), to make security managers' jobs easier. Where once upon a time these were limited to computers, more and more pen testing tools now enable work from mobile devices.

To strengthen organisational defences, security professionals need to build a toolkit of both free and commercial tools. Some pen tests are free and some are not, but they all serve one purpose: the administrator must find the vulnerabilities before the hackers do.

Read more about penetration testing

No two tools have the same penetration techniques. Each tool differs in their scanning methods, as well as the types of vulnerabilities they look for. Some offer an unlimited number of IP addresses or hosts to exploit; some don't. Some are specific to operating systems, and some are agnostic.

Below are my top 10 tips for organisations looking to maximise the benefits of penetration and security testing in 2016:

  1. The organisation requesting a security audit should consider having the auditor represented by legal counsel.
  2. Treat the audit agreement as a professional services engagement: ensure the work is clearly detailed in a well-drafted statement of work and that all costs are identified.
  3. Do not permit the audit agreement to create more risk than it is intended to resolve.
  4. Indicate what the auditor will do (and will not do) and the range of IP addresses, subnets, computers, networks or devices that will be the subject of the test.
  5. Make an inventory of all authorised and unauthorised devices that have access to your corporate network.
  6. If a software review is being asked for, ensure the copyright to the software permits reverse engineering or code review.
  7. If a white-hat tester is to test a network in the cloud, make sure permission has been obtained from the cloud provider.
  8. Model the testing activities on those of real-world attackers.
  9. When vulnerabilities are found, make sure they are exploited under controlled circumstances.
  10. Prioritise resources and responses to improve your organisation’s security stance.

Ramsés Gallego is international vice-president of Isaca and security strategist and evangelist at Dell Software.

Read more on IT risk management