What is Penetration Testing?

Simple question, hopefully a simple answer: it is an Information Security discipline where the aim is to identify ways to compromise you and/or your organisation.  There is more to it than that, obviously, but that should provide a good starting point!  Many people involved in the industry, such as penetration testers, sales people, information security consultants, etc. all have their own interpretation of penetration testing, and there is a wide ranging view of what it is and how to go about it.  Frustratingly, these differences in opinions of what constitutes a pen test often leads to it being mis-sold and, more commonly, not conducted correctly.  Both actions result in a negative attitude towards penetration testing which results in many objections or reluctance to carry it out, ultimately meaning people are losing out in the value a penetration test gives.

 Solutions, problems, needs

Penetration testing is a part of a solution to a problem.  The problem is that there are various threats out there that can affect the security of your information.  We occasionally hear: “Who would want my information?  It is of no value to anyone else but me.”  Now, in a very small set of circumstances that may be true.  However, in the majority of cases, there is always someone out there that can benefit in some manner from obtaining or destroying the information you have.  This someone could be identity thieves, your competitors, foreign governments, discontented staff, hacktivists, online vandals, the list goes on.  A penetration test should be focussed on replicating threats that are relevant to your organisation.  A foreign intelligence threat may be very high on the list if you are a government body but not so much if you are a retailer, for example.  It is this understanding of the threats that should form and drive a penetration test.

Pen testing is not just about using a collection of tools and scripts, it is also a mentality.  Whilst at Perspective Risk we train our team how to use all the tools at their disposal, we also teach them when and where to use them.  We believe this brings more value to our customers and differentiates us from the one size fits all approach offered by other organisations, either through their pen test led approaches or through their automated “appliances”.  Now, we are not saying there is no place for these approaches; we are saying that these approaches address specific needs but may not help in solving the problem.  Problem? Need? What’s the difference?  A problem is something you have, but don’t want, a need is something you want but don’t have.   Needs should be derived from problems, quite often the two are considered the same which can lead to unwanted results.  What we ask is: how can a pen test address a need where the need does not address the problem?

Value Proposition

So, what value does penetration testing give you? Well, in some people’s opinion, where you have been mandated to get one done, it gives you a tick in the box.  Is that all we think a penetration test gives you?  Definitely not!  There is much more value gained from a pen test that is often not even contemplated.  We hope to correct that!

Beyond the tick in the box you get for whatever regulation, compliance, or legal requirement you are aiming to meet, penetration testing actually reduces overall costs, brings certainty, and allows you to prioritise your resources. Oh, we almost forgot, it increases the security of your organisation.

How does it save you money?  Well, what is cheaper? Pro-actively implementing known fixes where you have control over time and resources, or fire fighting a security breach?  Comparing the two scenarios, on the one hand where you have taken a pro-active approach, you can blend in the fix requirements to either your own staff’s day to day activities or in to contracts where you outsource the service, usually at no additional cost.  If a breach occurs, instantly the priority turns to fixing the issue, money, time and people will be thrown at the problem.  This could result in extra costs for overtime, extra contract staff or external services.  Similarly, the fire fighting activity may not be included in your service agreement with your vendor and therefore would result in extra charges for out-of-agreement requirements.  There are also hidden costs that are often not thought about; for example, while all these resources are fire fighting, they are not actually doing what they were originally paid to do.  Your operations are likely to suffer and that subsequently affects your efficiency or your income.

How does it bring you certainty?  The results of a good penetration test are black and white.  If they are not, you should look for another supplier!  They are meant to give you a perspective on your technical risk.  They are meant to provide you with a customised view of the threats you face and the risks that are relevant to your organisation.  Knowing that the issues found are real and relevant to your organisation gives you certainty about how vulnerable you actually are to the threats that matter to you the most.  It gives you a defined set of fixes and removes false positives that are becoming more and more prevalent due to the commoditisation of penetration testing.

How does it allow you to prioritise?  In most organisations, and certainly in this time of austerity, we are being asked to produce more with less.  That is to say, more is expected whilst resources such as time, money, and people are increasingly limited.  In this environment, you really have to prioritise to get things done.  The issues that are found in a pen test are ranked by the severity and the threat of the technical risk in a pen test report.  This allows you to give precedence to the more severe issues as opposed to deploying resources on issues that do not present a great risk to your organisation.

How does it make you more secure?  This one is fairly simple.  A pen test finds holes that your threats may use and these are then reported to you with advice on how to go about fixing them.  Once you plug the gaps, the security of your information is at a greater level than it was before the pen test.  Usually, information security consultancies that provide penetration testing as part of many InfoSec services only answer this question as they don’t understand the full value proposition of a penetration test.  It is why we recommend utilising specialist penetration testing consultants, where the quality and understanding runs through not just the consultant but through the entire company.