Penetration testing: an enterprise guide

Davey Winder investigates the role of penetration testing within the enterprise: What is it and why do you need it?

Ultimately, a penetration tester can never conclude that your network is secure, only that in this point of time and using the knowledge he or she possesses, no vulnerabilities were discovered.

"Systems could stop working due to configuration issues introduced by the enterprise and these will be out of the control of the testing organisation," Kyriacou continues. "However, penetration testing organisations also have a duty of care. They need to ensure that they do not actively test for Denial of Service (DoS), which could bring systems down unless authorised to do so."

But, while agreements can be tailored, typically they are the same for most enterprises. That said, there may be specific requirements such as actively testing for any Denial of Service vulnerabilities or attempting to remove data from databases and these will be included in the scoping document that will be signed off by both parties.

"Pen testing organisations will typically use penetration test systems that do not belong to their customers (requesting the penetration test), but they are using infrastructure belonging to a third party," Kyriacou explains. "In this situation, the enterprise must gain authorisation from the third party for the penetration test to occur and the penetration testing organisation should ensure that this agreement is in place prior to the penetration test."

Advertisement - Article continues below
Advertisement - Article continues below

In conclusion, or inconclusive?

We will leave the last word to Marcus J Ranum, CSO at Tenable Network Security, who warns that pen testing is actually more accurately a penetration demonstration and nothing else.

"This may seem like a theoretical quibble, but it's not," Ranum told IT Pro.  "Penetration testing is not a test in a useful sense. When one uses the term test one is falling under the rubric of scientific or testing methodologies - and the single most important question a scientist or researcher asks about any test or experiment is What are the possible results?' In a scientific framework, there are certain things science can't prove so you have to sneak up on a hypothesis by eliminating all the other hypotheticals that would refute it. This is an important and subtle point, because it cuts right to the heart of how most of the industry doesn't understand penetration testing - you are not able to prove that a system is secure, you can only prove that it's vulnerable."

To cut to the chase, then, while pen testing is a valuable weapon in your enterprise security strategy armoury, it shouldn't be seen as something that can fire a magic bullet and make security problems go away. Far from it, Ranum argues. "If the theory being tested is 'my network is secure' and you perform a penetration test to find a vulnerability, then the hypothesis is refuted: 'my network is secure' is untrue," he says.

"Unfortunately, you can't prove a negative that way, you cannot conclude that 'because my penetration testers found nothing, therefore my network is secure' - the best you can conclude is that your penetration testers didn't find anything."

Ultimately, a penetration tester can never conclude that your network is secure, only that in this point of time and using the knowledge he or she possesses, no vulnerabilities were discovered.

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

Most Popular

Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019

Patch issued for critical Windows bug

11 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019