Mais conteúdo relacionado
Semelhante a Is Penetration Testing Worth It (20)
Is Penetration Testing Worth It
- 1. Vikas Raina© Security Expert Advisory Council©
Is Penetration testing worth it?
Scope: Come‐on lets be practical and do a real pen test.
There are security experts generally who insist penetration testing is essential for network
security, and you have no hope of being secure unless you do it regularly. And there are
contrarian security experts who tell you penetration testing is a waste of time; you might as
well throw your money away. Both of these views are wrong. The reality of penetration testing
is more complicated and nuanced.
Penetration testing is a broad term. It might mean breaking into a network to demonstrate you
can. It might mean trying to break into a network to document vulnerabilities. It might
involve a remote attack, physical penetration of a data center or social engineering attacks.
It might use commercial or proprietary vulnerability scanning tools, or rely on skilled white‐
hat hackers. It might just evaluate software version numbers and patch levels, and make
inferences about vulnerabilities.
It's going to be expensive, and you'll get a thick report when the testing is done, Tools and
right people play a major role. Becoz management wants to see what’s Bad really to Business.
And that's the real problem. You really don't want a thick report documenting all the ways
your network is insecure. You don't have the budget to fix them all, so the document will sit
around waiting to make someone look bad. Or, even worse, it'll be discovered in a breach
lawsuit. Do you really want an opposing attorney to ask you to explain why you paid to
document the security holes in your network, and then didn't fix them? Probably the safest
thing you can do with the report, after you read it, is shred it.
Given enough time and money, a pen test will find vulnerabilities; there's no point in proving
it. And if you're not going to fix all the uncovered vulnerabilities, there's no point
uncovering them. But there is a way to do penetration testing usefully. For years I've been
saying security consists of protection, detection and response‐‐and you need all three to have
good security. Before you can do a good job with any of these, you have to assess your
security. And done right, penetration testing is a key component of a security assessment.
I like to restrict penetration testing to the most commonly exploited critical
vulnerabilities, like those found on the SANS Top 20 list. If you have any of those
vulnerabilities, you really need to fix them.
If you think about it, penetration testing is an odd business. Is there an analogue to it
anywhere else in security? Sure, militaries run these exercises all the time, but how about in
business? Do we hire burglars to try to break into our warehouses? Do we attempt to commit
fraud against ourselves? No, we don't.
Penetration testing has become big business because systems are so complicated and poorly
understood. We know about burglars and kidnapping and fraud, but we don't know about computer
criminals. We don't know what's dangerous today, and what will be dangerous tomorrow. So we
hire penetration testers in the belief they can explain it.
There are two reasons why you might want to conduct a penetration test. One, you want to know
whether a certain vulnerability is present because you're going to fix it if it is. And two,
you need a big, scary report to persuade your boss to spend more money. If neither is true,
I'm going to save you a lot of money by giving you this free penetration test: You're
vulnerable.
- 2. Vikas Raina© Security Expert Advisory Council©
Moral: Now, go do something useful about it,
Like The security team behind Google's mobile platform, Android, has tried to raise its
profile among security researchers by appealing for their vigilance in monitoring the platform
and do a real check
Thanks
Vikas Raina
Sr Leader and Security Expert
Domain: Corporate Information Security and Digital Forensic Investigation
Certf’s : CISSP®, CCSP®,CCNP®, C |EH, ITIL, PRINCE‐2©, DFCA©
“Security advice is a daily burden, applied to the whole population, while an upper
bound on the benefit is the harm suffered by the fraction that become victims
annually. When that fraction is small, designing security advice that is beneficial
is very hard.”