In Depth
Security: Penetration Testing
Penetration tests are falling in popularity. Here are the keys to making them valuable again.
By Michael Fitzgerald
Another reason is that most companies can't afford an open-ended penetration test, so they set time limits—which real hackers don't have, notes Mark Weatherford, CISO for the state of Colorado.
Also, if the network is already compromised, a pen test might not find out. "I love to go into companies and put a sniffer down on the inside and see how many systems are already compromised, what spyware is already on there," says Peiter "Mudge" Zatko, a longtime security researcher who is now a division scientist at BBN Technologies. "Pen test games don't even address this. They're just trying to get in. If a system is already compromised it negates any work you've done on the perimeter."
There are myriad other reasons people say they dislike pen tests—the cost, the potential for disrupting your business if the pen test takes down a system, the chance that a jaded consultant might just run a few scanning tools looking for known security holes and call it a pen test. John Pescatore, a security analyst at Gartner, thinks that pen tests fell out of favor in part because of what he calls "gray-hat" hackers, college kids who were doing work so cheaply that seasoned professionals got out of the business. Pescatore says he was aware of kids charging $500 for a test—compare that to one consultant interviewed for this story, who says she charges $500 per target IP address, with a minimum of five addresses. Pescatore argues that the kids didn't really know how to construct exercises that would reflect the complexities of corporate networks, and those low-cost, low-quality tests soured many CSOs on the concept.
Practical Matters
The first step in making penetration tests valuable is to understand how they should fit into the information security arsenal. Clearly, no one should rely on penetration tests as the only answer. Pescatore cautions that legitimate tests are too costly and time-intensive to do more than once a quarter. And any change to the system can render the previous pen test moot. "It's a snapshot in time," says Carole Fennelly, who runs the security consultancy WizardKeys. She says that pen tests are best used as a way to get an extra set of eyes on a network after major system upgrades.
Vulnerability assessments are a great companion piece to penetration tests. The difference between the two is critical, and André Gold, director of information security at Continental Airlines, can explain that difference.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
