RE: How would you describe the risk if a company doesn't do penetration tests?



I had this same conversation recently internally with a few managers
here. The way I approached it with them is the pen test is "a test of
the technical controls, procedures, and processes which support the
information security goals of the organization".

So what does that mean?

- On the technical side, by pentesting your network you find areas which
are or are not being managed appropriately. As an example, say you've
got a 30 day patch policy that all medium, high, and critical patches
have to be applied to servers and apps. During the pentest, the testers
find a few servers which are behind in patches by 60 days and then
exploit them. Through that you can determine 1) that there are indeed
mismanaged servers in the enterprise and 2) the downstream effects of
those servers being compromised - does your defense strategy truly
invovle multiple layers of security? Which one worked? Which one(s)
didn't?

- On the procedure side, you get to watch from the sidelines while your
network/server/security teams attempt to track the reconnasaince
activity and spot attacks. Did the IDP/IDS sensors work? How were they
evaded? Were your network/security folks actually able to catch the
activity? It's a real nice feeling when your network guys come up to you
the next morning and say "hey, we got a bunch of hits last night on the
IDP sensors and it looks like a structured attack - can we run this by
you?"

- On the process side, what happens when 1) a server was "breached" and
2) when a server wasn't "breached". Did the incident response process
work? Was notification performed according to policy? Is more training
required? A good example here is most organizations rarely test their
incidnet response tools/capabilities outside of the normal
virus/worm/forensics. When was the last time you actually ran a full
"server X is breached" - go find out how, why, what they "stole"? Work
with legal and mgmt to test their responses as well - was the breach
notification process updated and actually working?

And lastly, from a non-technical side, social engineering (which should
be part of every pen test) - were the right processes followed by the
helpdesk? Are there even procedures for reporting activity? What's the
sensitivity level of the organization to SE attacks?

A lot of these things you can never fully determine without a real
incident. Structured appropriately, the pen tests can be a real good
assessment of not only your point in time person X can hack us, but also
identifies weaknesses in other areas of the enterprise well outside of
just having some exploits run.

My 2 cents.

Dan


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Sebastiaan
Sent: Thursday, September 17, 2009 7:55 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: How would you describe the risk if a company doesn't do
penetration tests?

I'm currently doing an audit. Part of the audit scope is to audit the
penetration testing methodologies that are used.

Now for the risk/control matrix I have to come up with a good
description of a risk of not having penetration tests done.

We had discussions like this before on the list, basically concluding
that pen-testing only shows you that that specific pen-tester can't
hack into/harm your systems, etc.

From a complaince point of view they run the risk of not being
complaint (because of PCI, local law, etc) but I need a better, juicer
"risk" description ;)

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------