Penetration testing: an enterprise guide

Davey Winder investigates the role of penetration testing within the enterprise: What is it and why do you need it?

Given the ever increasing number of risks to your data, getting your network security strategy right is more important than ever.

What is it?

What does penetration testing actually mean? As the Assessment Practice Manager at Rapid7, Jack Daniel heads up the penetration testing professional services unit for the company. Daniel defines penetration testing, more commonly known within the IT Security community as pen testing or ethical hacking, as being "a manual, time-limited test emulating how a malicious individual would attack your environment with an end goal insight."

While most assessments are based on some measure of quantitatively scored risk, which is theorised and weighted on a number of factors, penetration testing executes attacks from a real-world attacker’s perspective to highlight what the real risks are.

This begs the question of what the end goal is. It’s not quite so simple to define, but the list may include such things as intellectual property, financial records, personal identifiable information (PII) or even an attempt to defame the organisation through service outages, defacing digital property or some other shaking of consumer confidence. "A penetration test does what no other assessment can," Daniel explains. "It tests your susceptibility to an attack."

So, while most assessments are based on some measure of quantitatively scored risk, which is theorised and weighted on a number of factors, penetration testing executes attacks from a real-world attacker’s perspective to highlight what the real risks are.

Do you need it?

Kate Craig-Wood, managing director of Memset, knows a thing or two about penetration testing from the enterprise side of the fence as her organisation has been there, done that and can wear the 'We have been pen tested’  T-shirt. IT Pro asked her how Memset went about this and whether every enterprise should be following her lead...

 "We initially contacted a CREST consultancy, Trusted Management, who advised us which pen tests we should be doing and then they recommended Incryption to us who are part of the Tiger scheme, who worked with us to help design the tests and carry them out," Craig-Wood said.

As for which enterprises should be thinking about doing the same, is the answer really as simple as 'anyone who holds value in their data' or is it a little more complex? After all, ISO 27001 as a whole does not specifically state that penetration testing is a requirement for certification, for example.

“It's a great add-on and can certainly help you to prove that your systems are protected from fraudulent activity or unauthorized disclosure," Craig-Wood argues. And, as for any enterprise looking to work with government, now that G-Cloud has come into play, they will need to undergo some level of pen testing.

"Even if you're operating at the low end IL1 and IL2 levels and it need not be that sophisticated either, we simply set up an account, gave the hackers access to a Miniserver VM - which they used to attack other machines  - and so on," Craig-Wood insists. If you are operating at IL3 or in finance or a large corporation, then pen testing would be pretty much mandatory. What it need not be is prohibitively expensive. "It's worth spending the money to have your systems checked and you shouldn't be spending much more than £2-3K to undergo pen testing," Craig-Wood concludes "If you are, look for someone else who is CESG approved or part of the Tiger scheme."

Disqus - noscript

Ranum's argument about "Penetration testing" and "Penetration demonstration" is rather weak. Very few scientists define "laws", but rather "theories", precisely because their results are not exhaustive nor conclusive, so his definition of a "test" doesn't stand.

Testing is about quantification, not confirmation. That is, when I test an application, I am quantifying the risk involved in the product going live, by identifying defects (whether functional issues, security breaches, usability etc). I may not find all of the likely defects, but I can identify a large number of them, which can be rectified, and thereafter obtain a quantified likelihood of any other faults occurring

Penetration testing is therefore a test in a useful sense: it identifies any faults or potential weaknesses; it mitigates the risk of those faults; and it allows the business to quantify the likelihood of future faults.