Security: Penetration Testing

Penetration tests are falling in popularity. Here are the keys to making them valuable again.

By Michael Fitzgerald

Page 4

Sharpening the Pen

Once a CISO knows where pen tests fit into the overall security scheme, he can move on to the practicals of getting the most of out them.

For starters, keep an eye on business activities and requirements. "You don't want to do a pen test to the tax agency on April 15," says Will Pelgrin, director of the New York State Office of Cybersecurity and Critical Infrastructure Coordination. New York's agencies handle their own penetration tests now, but Pelgrin also is setting up pen tests as a service his group would offer via third-party firms. He's doing this now in part because of timing—his office has finished a series of security to-dos he'd deemed more important, such as a statewide security policy, mitigation gap analysis, compliance policies and the like. He's also looking to give the agencies a baseline for how to do the tests and some recommendations on people to perform them.

In offering the service, Pelgrin emphasizes the need for cooperation with the pen test providers and the agencies being tested. Poorly timed or poorly planned penetration tests can do more harm than good, he says, a concern borne out by one consultant who remembers when a financial services IT director scheduled a denial-of-service attack for the close of trading, and nearly shut down the company's systems. "Nobody would tell us it was a test, and we almost called the FBI; think of the embarrassment that would have caused the firm," the consultant says.

Colorado's Weatherford notes another key to valuable tests: Don't use them until you've made a reasonable effort to get your network secure. He's seen some people guilty of thinking a penetration test is the security version of pushing the Staples Easy Button. "People think you push the easy button and it will happen, your problems are clear." In fact, he says, the organization that does not have mature controls in place around IT systems will find pen tests of little value. "It just points out that your system can be exploited. Big deal." In fact, he notes that this type of exercise can be damaging to poorly built systems, which is another reason to use pen tests with care. "I consider a pen test to be the supreme test for a mature organization. It's important to remember that pen tests are invasive activities and can break things," Weatherford says.

Echoing Gold's approach at Continental, Weatherford says the run-up to pen testing is to first establish policies, then conduct vulnerability assessments to identify weaknesses, and then remedy or mitigate the key weaknesses. Only then will the pen test yield maximum bang for the buck.