Pen testing: How to ensure effective testing

• Article 11 of 33
• SC Magazine, August 2007
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

8. Presenting the results
It is almost guaranteed that if you have an infrastructure of a certain size and are worried enough to hire a pen tester, then the tester will find something - and no two individuals will come up with the exact same list of issues. What they find and how they present it to you is another way of assessing testing companies. You should always ask for a sample report from the pen tester in advance of using their services. The best ones will not only highlight technical problems, they will categorise by risk, letting you know if there are known exploits or if the vulnerability is purely theoretical, and tell you what you can do about it. The top-flight may provide an executive summary as well as a technical report, depending on the intended audience. The worst pen testers will simply produce a voluminous report that will sit on a shelf gathering dust because there's apparently so much to do that it's impossible to know where to start.

9. Act on the test findings
It's up to you what you do with the information from the report, but plan to allocate some time and money to fixing whatever the pen tester finds. At the very least, you should have some kind of risk analysis strategy to decide what to do about the results of the process. Checking with various sites such as the SANS Institute's for up-to-date exploit information should help you find out whether threats are currently serious, and the advice of other security consultants can also be useful.

10. Put it in your diary
How often you pen test is a decision you need to make for yourself. Most consultants agree that an annual check-up is the minimum for most companies, with additional run-throughs whenever any big changes are made to the infrastructure. You can reduce the frequency to some extent by doing some testing yourself, using methodologies and tools downloaded from the web. But you need time to do this, and it is unlikely you will have the skills to find more complicated exploits yourself. Nevertheless, it is worth doing simply to get rid of the most egregious weaknesses before the pen testers arrive.

Pen testing, when done correctly, can give you assurance that you are reasonably secure in practice as well as in theory. While it cannot guarantee impregnability, it can reveal Achilles heels you never knew you had - before anyone else finds out about them.

THE CASE AGAINST PEN TESTING
Although pen testing has its proponents, many argue that it has flaws. “It is obviously a great way to verify if systems have been built right, as long as you are better than the bad guy,” says Roger Thornton, founder and CEO of Fortify (pictured, above). “Where it falls down is the pretty dangerous assumption that the pen tester has as much time as a bad guy.” Even if a pen tester comes in for a week every few months, so the argument goes, that's still less time than a determined hacker will have for evaluating every possible chink in your network's armour.

Thornton also highlights the issue of skills. Does someone who has never broken the law have the same insights and abilities as someone who has crossed that ethical line? “People who do the best pen testing are the best hackers,” he says. “But do you want to hire a reformed criminal as a tester?”

But if you don't hire the best, are you really testing your network or are you leaving the determined, skilled criminal with an opening?.

Richard Hibbert, chief executive of SureCloud, argues that the differences between pen testers make it hard to compare companies. “For good-quality pen testing, quotes vary wildly from hundreds of pounds to thousands,” he says. “And like MOTs, the moment they're done, they're out of date.” With no common format for reports, it's hard to see what the differences or similarities might be, even when the companies have been testing the same networks, making it relatively easy to blind people.

CASE STUDY - CPP GROUP
The CPP Group provides what it calls “life assistance” to its customers. As part of its services, it keeps its customers' credit-card details and other important facts on file so that if their wallet or purse is lost or stolen, CPP can inform their banks, credit card companies, mobile phone suppliers etc.

Needless to say, CPP needs to be sure its systems are secure to assure clients, prevent any breaches that could reveal confidential information and abide by the terms and conditions of the payment card industry.

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages