Penetration testing: an enterprise guide

Davey Winder investigates the role of penetration testing within the enterprise: What is it and why do you need it?

Ultimately, a penetration tester can never conclude that your network is secure, only that in this point of time and using the knowledge he or she possesses, no vulnerabilities were discovered.

"Systems could stop working due to configuration issues introduced by the enterprise and these will be out of the control of the testing organisation," Kyriacou continues. "However, penetration testing organisations also have a duty of care. They need to ensure that they do not actively test for Denial of Service (DoS), which could bring systems down unless authorised to do so."

But, while agreements can be tailored, typically they are the same for most enterprises. That said, there may be specific requirements such as actively testing for any Denial of Service vulnerabilities or attempting to remove data from databases and these will be included in the scoping document that will be signed off by both parties.

"Pen testing organisations will typically use penetration test systems that do not belong to their customers (requesting the penetration test), but they are using infrastructure belonging to a third party," Kyriacou explains. "In this situation, the enterprise must gain authorisation from the third party for the penetration test to occur and the penetration testing organisation should ensure that this agreement is in place prior to the penetration test."

In conclusion, or inconclusive?

We will leave the last word to Marcus J Ranum, CSO at Tenable Network Security, who warns that pen testing is actually more accurately a penetration demonstration and nothing else.

"This may seem like a theoretical quibble, but it's not," Ranum told IT Pro.  "Penetration testing is not a test in a useful sense. When one uses the term test one is falling under the rubric of scientific or testing methodologies - and the single most important question a scientist or researcher asks about any test or experiment is What are the possible results?' In a scientific framework, there are certain things science can't prove so you have to sneak up on a hypothesis by eliminating all the other hypotheticals that would refute it. This is an important and subtle point, because it cuts right to the heart of how most of the industry doesn't understand penetration testing - you are not able to prove that a system is secure, you can only prove that it's vulnerable."

To cut to the chase, then, while pen testing is a valuable weapon in your enterprise security strategy armoury, it shouldn't be seen as something that can fire a magic bullet and make security problems go away. Far from it, Ranum argues. "If the theory being tested is 'my network is secure' and you perform a penetration test to find a vulnerability, then the hypothesis is refuted: 'my network is secure' is untrue," he says.

"Unfortunately, you can't prove a negative that way, you cannot conclude that 'because my penetration testers found nothing, therefore my network is secure' - the best you can conclude is that your penetration testers didn't find anything."

Ultimately, a penetration tester can never conclude that your network is secure, only that in this point of time and using the knowledge he or she possesses, no vulnerabilities were discovered.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021