I have had several conversations with executives recently about the role of penetration testing and whether or not penetration testing is worth the risk? There seems to be two schools of thought on this issue. One side argues that pen testing is inherently more risky than the risk it’s trying to mitigate, the other side calls it necessary for security hardening. Here are my thoughts on the subject:
The Wrong Way to do Penetration Testing
Some companies have the misconception that penetration testing is a security solution. It’s not. That if you undergo regular penetration tests and remediate the issues you’re safe. You’re not. This is the wrong way to approach security and risk management for a few reasons:
- If you put any hacker on your network for long enough they will find a way in. The real question is how you manage data loss, intrusion detection, and security as a whole.
- If you aren’t doing the basics you will continually be at risk (i.e., all the stuff in our IT audit guide). If that’s the case you probably shouldn’t waste time and money on penetration tests. It’s safe to assume you are vulnerable. (A general risk assessment an gap analysis against ISO 27001 is probably a good place to start.)
- Strong penetration testing against production systems could be an attack against yourself. It may not be worth the impact to your own systems.
Penetration Testing as Part of a Cyber Risk Program
Where penetration may do some good is for the mature IT Security environment as part of an “enhanced network monitoring” process (as apposed to an active attack on your production systems) built into the cyber risk management function to answer questions about the operating effectiveness about controls you think you already have in place:
- Did we notice the intrusion?
- Did we respond to the intrusion as expected?
- Could the pen tester access any unexpected systems or data?
- Was the pen tester able to capture and/or decrypt network traffic?
- Are we transferring and transmitting data as expected?
Continuous Risk Monitoring
In an environment where things are constantly changing the new model is continuous risk monitoring and management. Not a one and done penetration testing process. That is implementing tools and controls that continuously monitor and update the environment across all layers (PCs, databases, servers, software, applications, etc.). Here are a few examples:
- Regularly scheduled system patches and updates,
- Transmission of private data is encrypted,
- Ongoing vulnerability scans and remediation,
- Formalized incident identification and response,
- Regular review and updates to the network security environment, and
- An ongoing risk assessment process.
If you need a place to start here is a list of Frameworks you might consider.