Blog

Are Penetration Tests Confusing?

Posted on January 22, 2018 by Advisory Team

Many self-proclaimed experts are incredible at selling a solutions or services that claim to solve all your cyber risks. Unfortunately, a magic bullet, two-birds-one-stone, or all-in-on-solutions often end up becoming inefficient, ineffective, complex, or often expensive for complete adoption.

The harsh reality is that most of your corporate risk is caused by people, specifically, that one individual who clicked on the wrong attachment, link, or simply failed to think before doing. In other cases, cyber breaches are caused by malicious individuals with intent of disrupting business operations. However, not everyone is Milton (Office Space, 1999) claiming to burn down the place if you take their red staplers, but they do exist.

Here's where a Penetration Test can identify some risk, but not all, and it's important to realize that they vary based on who conducts the test and how deep they go into your environments. For example, in the simplest analogy, think of your home, it has an outside, inside, and personal items in cabinets, drawers, closets, etc. When you install to a home alarm system they consist of motion, glass break sensors with keypads. Well that's great, but it's only protecting you from outside intruders, we call this the perimeter. Once it's breached or bypassed, think your typical user or admin with system credentials, it's often difficult to protect assets inside the home perimeter.

Often, companies believe that a firewall is the best line of defense, but as most recent cyber breaches like Equifax prove to us, a vulnerable system is always the way in for cyber criminals. This is where rinse-and-repeat comes into effect. Companies must conduct quarterly or annual Penetration Tests to help identify their weaknesses and most likely the point of attack.

However, to my earlier point, Penetration Tests can be overwhelming because everyone out there is doing them differently, and costs are all over the board. Here are some things to consider when evaluating what’s right for your company.

Determine the Type of Scan and Analysis:

  1. External Assets, websites, third party applications
  2. Perimeter such as Firewall, Proxy, Access Systems
  3. Internal such as Platforms, Applications, Infrastructure

Scope:

  1. Make sure you document desired scope and expectations
  2. Is it a repeatable process to achieve your quarterly or annual requirements?
  3. What will the costs and deliverables be for repeating the Penetration Test 3, 6, 9, or 12 months later?

Report:

  1. Request a Sample Report and ensure that it satisfies your Leadership team, Auditor, or Chief Compliance Officer

Most Penetration Tests should be repeatable, and cost significantly less than the initial one. It's similar to a personal health check, a complete annual checkup is more extensive than the normal routine appointment, they use the annual checkup as your baseline to detect any deviations in your health. Also, there's a good chance you have access to the software or hardware used during the penetration test to run a progress report.

At the end of the day, always try to focus on the need, talk to several true cyber security experts, and research before starting the work. There are too many questionable practices taking place with very little return or quality deliverables.

This entry was posted in Blog and tagged Penetration Test, Pen Test, Data Breach, Advisory Services, Threat Detection, Threat Prevention, Vulnerabilities, Intrusion Detection, Systems, Security Breach, Malicious Insiders, Cyber Threat, Data, Cyber Crime, Exploit, Security, Monitoring, EndPoint, Next Generation Firewall, Cyber Defense, Data Loss Prevention, Risk Management, Application Security, Platform Security, Radar