Ultimately, a penetration tester can never conclude that your network is secure, only that in this point of time and using the knowledge he or she possesses, no vulnerabilities were discovered.
"Systems could stop working due to configuration issues introduced by the enterprise and these will be out of the control of the testing organisation," Kyriacou continues. "However, penetration testing organisations also have a duty of care. They need to ensure that they do not actively test for Denial of Service (DoS), which could bring systems down unless authorised to do so."
But, while agreements can be tailored, typically they are the same for most enterprises. That said, there may be specific requirements such as actively testing for any Denial of Service vulnerabilities or attempting to remove data from databases and these will be included in the scoping document that will be signed off by both parties.
"Pen testing organisations will typically use penetration test systems that do not belong to their customers (requesting the penetration test), but they are using infrastructure belonging to a third party," Kyriacou explains. "In this situation, the enterprise must gain authorisation from the third party for the penetration test to occur and the penetration testing organisation should ensure that this agreement is in place prior to the penetration test."
In conclusion, or inconclusive?
We will leave the last word to Marcus J Ranum, CSO at Tenable Network Security, who warns that pen testing is actually more accurately a penetration demonstration and nothing else.
"This may seem like a theoretical quibble, but it's not," Ranum told IT Pro. "Penetration testing is not a test in a useful sense. When one uses the term test one is falling under the rubric of scientific or testing methodologies - and the single most important question a scientist or researcher asks about any test or experiment is What are the possible results?' In a scientific framework, there are certain things science can't prove so you have to sneak up on a hypothesis by eliminating all the other hypotheticals that would refute it. This is an important and subtle point, because it cuts right to the heart of how most of the industry doesn't understand penetration testing - you are not able to prove that a system is secure, you can only prove that it's vulnerable."
To cut to the chase, then, while pen testing is a valuable weapon in your enterprise security strategy armoury, it shouldn't be seen as something that can fire a magic bullet and make security problems go away. Far from it, Ranum argues. "If the theory being tested is 'my network is secure' and you perform a penetration test to find a vulnerability, then the hypothesis is refuted: 'my network is secure' is untrue," he says.
"Unfortunately, you can't prove a negative that way, you cannot conclude that 'because my penetration testers found nothing, therefore my network is secure' - the best you can conclude is that your penetration testers didn't find anything."
Ultimately, a penetration tester can never conclude that your network is secure, only that in this point of time and using the knowledge he or she possesses, no vulnerabilities were discovered.
