Security: Penetration Testing

Penetration tests are falling in popularity. Here are the keys to making them valuable again.

By Michael Fitzgerald

July 01, 2006CSO

Steve Katz sat at his desk, reading an e-mail that he had hoped never to see. An outsider had access to the systems at his company. Katz, who was CISO at a large financial firm, would have to tell his boss. And that could be the start of something ugly.

The silver lining for Katz was this: The outsider was an ethical hacker Katz had hired to see if the company's systems could be penetrated. While it wouldn't be fun to deliver the news—"the guy had become a user of the system. He could've probably gotten access to critical applications," Katz says—at least it was just a penetration test.

"If you have significant value at risk, either your reputation or financial, a pen test is absolutely worth the price," Katz says. Lately, however, it seems that pen tests have fallen precipitously from the CISO radar. On the 2006 "CSO Magazine Sensor Survey," the tests were only the ninth priority for CISOs surveyed, down from third in 2005. While Katz says financial companies still use this tactic, the financial industry (which is usually on the high side of information security spending) is apparently bucking the trend. Anecdotally, CISOs elsewhere say they're tired of seeing reports listing scads of vulnerabilities that aren't legitimate, or of paying top dollar to have a consultant run a glorified system scan, or of too many security consultants with no understanding of how a corporate network really functions.

But guess what? Penetration tests still matter. In fact, Gartner Group earlier this year issued a report that pen tests are more important now than ever before, because hackers have shifted from mass attacks like worms to targeted, multipronged attacks on specific companies. A well-executed penetration test can identify the most critical holes in an organization's defensive net—including the holes exploited by social engineering. CISOs who swear by these tests say you just need to sharpen your approach to them to make them useful, and here they offer tips on how to do just that.

Penetration Tests: Failing Grades

There are plenty of reasons why pen tests seem to have lost their ink.

For one thing, the results usually surprise no one: The network is vulnerable. One former security consultant who goes by the handle Hellnbak (and who now works at eEye Digital Security) said in an e-mail, "I've done hundreds of pen tests, and I was able to break into the network every time, with two exceptions. For the most part, companies should be taking the money they are wasting on a pen test and spending it on a secure network design session."

RESOURCE CENTER