Are Penetration Tests Worth the Risk?

I have had several conversations with executives recently about the role of penetration testing and whether or not penetration testing is worth the risk? There seems to be two schools of thought on this issue. One side argues that pen testing is inherently more risky than the risk it’s trying to mitigate, the other side calls it necessary for security hardening. Here are my thoughts on the subject:

The Wrong Way to do Penetration Testing

Some companies have the misconception that penetration testing is a security solution. It’s not. That if you undergo regular penetration tests and remediate the issues you’re safe. You’re not. This is the wrong way to approach security and risk management for a few reasons:

  1. If you put any hacker on your network for long enough they will find a way in. The real question is how you manage data loss, intrusion detection, and security as a whole.
  2. If you aren’t doing the basics you will continually be at risk (i.e., all the stuff in our IT audit guide). If that’s the case you probably shouldn’t waste time and money on penetration tests. It’s safe to assume you are vulnerable. (A general risk assessment an gap analysis against ISO 27001 is probably a good place to start.)
  3. Strong penetration testing against production systems could be an attack against yourself. It may not be worth the impact to your own systems.

Penetration Testing as Part of a Cyber Risk Program

Where penetration may do some good is for the mature IT Security environment as part of an “enhanced network monitoring” process (as apposed to an active attack on your production systems) built into the cyber risk management function to answer questions about the operating effectiveness about controls you think you already have in place:

  • Did we notice the intrusion?
  • Did we respond to the intrusion as expected?
  • Could the pen tester access any unexpected systems or data?
  • Was the pen tester able to capture and/or decrypt network traffic?
  • Are we transferring and transmitting data as expected?

Continuous Risk Monitoring

In an environment where things are constantly changing the new model is continuous risk monitoring and management. Not a one and done penetration testing process. That is implementing tools and controls that continuously monitor and update the environment across all layers (PCs, databases, servers, software, applications, etc.). Here are a few examples:

  • Regularly scheduled system patches and updates,
  • Transmission of private data is encrypted,
  • Ongoing vulnerability scans and remediation,
  • Formalized incident identification and response,
  • Regular review and updates to the network security environment, and
  • An ongoing risk assessment process.

If you need a place to start here is a list of Frameworks you might consider.

3 thoughts on “Are Penetration Tests Worth the Risk?

  • Christian,
    If you don’t test your own network, someone will do it for you. Even if you do test, someone will still do it for you. So why not pick your own low-hanging fruit?

    I believe it’s better to find the stuff yourself and fix it, or at least be aware of it; sometimes you can do things to minimize stuff you can’t fix, or at least set something up to alert you if someone pokes at it.

    At the very least, you make management aware and let them take the responsibility. Better that than to be attacked and security/audit get blamed for not finding the risk earlier.

    I’ve heard IT say that you might lock something out or crash a server during pentesting and the risk is too great. So does IT think that attackers won’t attack because they don’t want to upset you by locking up or crashing something? Attackers don’t play by any rules, and yet a pentest is often crippled by management’s “rules”.

    If your systems can’t handle a general pentest, then it’s time to make some changes. Why wait for an attack?

    I heard all of that when I wanted to pentest a company. I got the go ahead and nothing happened other than total compromise. No systems even whimpered, they just quietly offered up their jewels.

    I think that what IT is afraid of is THAT THEY KNOW HOW BAD IT IS or at least have a good idea, but when they are handed a pentest report, the IT VP is now on the hook. That’s really what it’s all about.

    Even if that’s not the case, it is better to test and find your crashable systems and fix them before someone crashes them via attack right before month-end or your busy season.

    • I’m not against pen testing (I’ve done it many times), but they should be one element of a mature Cyber risk program – not relied on as the sole source to identify and fix issues. If your security program isn’t mature you’ll be vulnerable again after a few missed patches anyway. To me that’s an expensive and risky way to harden your environment.

      I’m not suggesting sitting around and waiting for an attack either, but rather I think of pen testing as enhanced vulnerability scans that should occur on a periodic basis just test yourself. They should be in addition or part of controls testing and continual evaluation of the Company’s security and governance environment.

      To me it’s not about playing gotcha with the IT guys – it’s about working with them to perform a realistic assessment and get everyone where they need to be. Can penetration tests part of that process? Yes. Are they the best way to get there? I don’t think so.

      I don’t think we disagree with each other just thinking about it in different ways.

      • I also think we agree….

        I believe that some issues you won’t find unless you pentest, due to the stress which pentesting puts on your infrastructure. Which brings us back to your point that it’s risky.

        The question is, which is riskier?

Leave a Reply