In Depth
Security: Penetration Testing
Penetration tests are falling in popularity. Here are the keys to making them valuable again.
By Michael Fitzgerald
Sharper Still
Maximum results also depend on getting quality service from the test provider. Not all consultants are created equal, of course. It's up to the CISO to make sure that he gets the best talent, and the best out of that talent. Some tricks of the trade are obvious: Check references and also resumes of those doing the testing. If the people named on the resumes aren't the ones in your lobby, send them home. Several experts recommend not using the same consultant twice in the same year—you want fresh eyes on your network. Ultimately, the goal is to receive a valuable and useful report, so CISOs should ask for samples of prior reports, several years' worth, if possible. The reports may sound similar, but if they're identical, that's quite possibly a sign of a consultancy that's simply going through the motions of point-and-click scanning. In order to provide a baseline for testing, CISOs recommend doing at least some in-house pen testing and vulnerability scans before contracting out the work.
They also insist on asking questions. If test providers say something is vulnerable, ask them if they were able to exploit it. If they say yes, ask them to show you how. If they can't reproduce the exploit, that may be a sign of a problematic test.
Another tactic is to use false positives. "I put 'Easter eggs' in there somewhere—false positives I know will be picked up by a particular scanning tool," says Ken Pfeil, a CSO turned consultant. Pfeil also changes a configuration here and there during testing and doesn't tell the consultants, to see if they catch it.
Of course, CISOs must stay engaged throughout the process. Don't just wait for the report to arrive before you start to think about what's happening with your pen test. Be involved in the meetings and watch some of the testing.
So while some CSOs may be grumbling about pen tests, it's clear that others want them. As a consultant, Pfeil says pen testing occupies most of his time. "Pen tests were a valuable tool in my life as a CSO, and they still are," he says. CISOs just need to apply these lessons to make sure they're getting the value they should.
Michael Fitzgerald is a freelance writer based outside Boston. E-mail feedback to Editor Derek Slater at dslater@cxo.com.
Other stories by Michael Fitzgerald
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
