Penetration testing: an enterprise guide

Davey Winder investigates the role of penetration testing within the enterprise: What is it and why do you need it?

Ultimately, a penetration tester can never conclude that your network is secure, only that in this point of time and using the knowledge he or she possesses, no vulnerabilities were discovered.

"Systems could stop working due to configuration issues introduced by the enterprise and these will be out of the control of the testing organisation," Kyriacou continues. "However, penetration testing organisations also have a duty of care. They need to ensure that they do not actively test for Denial of Service (DoS), which could bring systems down unless authorised to do so."

Advertisement - Article continues below

But, while agreements can be tailored, typically they are the same for most enterprises. That said, there may be specific requirements such as actively testing for any Denial of Service vulnerabilities or attempting to remove data from databases and these will be included in the scoping document that will be signed off by both parties.

"Pen testing organisations will typically use penetration test systems that do not belong to their customers (requesting the penetration test), but they are using infrastructure belonging to a third party," Kyriacou explains. "In this situation, the enterprise must gain authorisation from the third party for the penetration test to occur and the penetration testing organisation should ensure that this agreement is in place prior to the penetration test."

Advertisement
Advertisement - Article continues below

In conclusion, or inconclusive?

We will leave the last word to Marcus J Ranum, CSO at Tenable Network Security, who warns that pen testing is actually more accurately a penetration demonstration and nothing else.

Advertisement - Article continues below

"This may seem like a theoretical quibble, but it's not," Ranum told IT Pro.  "Penetration testing is not a test in a useful sense. When one uses the term test one is falling under the rubric of scientific or testing methodologies - and the single most important question a scientist or researcher asks about any test or experiment is What are the possible results?' In a scientific framework, there are certain things science can't prove so you have to sneak up on a hypothesis by eliminating all the other hypotheticals that would refute it. This is an important and subtle point, because it cuts right to the heart of how most of the industry doesn't understand penetration testing - you are not able to prove that a system is secure, you can only prove that it's vulnerable."

To cut to the chase, then, while pen testing is a valuable weapon in your enterprise security strategy armoury, it shouldn't be seen as something that can fire a magic bullet and make security problems go away. Far from it, Ranum argues. "If the theory being tested is 'my network is secure' and you perform a penetration test to find a vulnerability, then the hypothesis is refuted: 'my network is secure' is untrue," he says.

Advertisement - Article continues below

"Unfortunately, you can't prove a negative that way, you cannot conclude that 'because my penetration testers found nothing, therefore my network is secure' - the best you can conclude is that your penetration testers didn't find anything."

Ultimately, a penetration tester can never conclude that your network is secure, only that in this point of time and using the knowledge he or she possesses, no vulnerabilities were discovered.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020