Strategies for Choosing the Right Pen Test

Sunday, August 08, 2010

Ron Lepofsky

5a432ca05467666d90425b7b869c5003

Pen tests may seem like a security test panacea.  However they have been known to go terribly wrong and become vastly expensive.  Here’s what you need to know to make sure you get the results you want at the price you expect.

Pen tests come in many flavours and degrees of risk.  Some pen tests are active which means a security expert is actively trying to exploit security vulnerabilities that they have identified. 

Some are passive which means the test is really a vulnerability assessment.  In a vulnerability assessment there is no active testing whatsoever

There are black box and white box pen tests.  Black box tests assume zero prior knowledge.  The auditor must first do research which may include social engineering in order to create a profile of the target network. 

It gets better. 

The black box pen test can be done on a need to know basis with the IT department kept in the dark.  The pen test sponsor of the audit, such as the IT Security Governance Committee, may deem it necessary to exclude members of the IT department from being informed about the test.

White box pen tests are philosophically the exact opposite of black box pen tests.  White box pen tests are based upon testing specific security elements within an enterprise network and all the work is carefully choreographed in concert with the client’s IT operations group prior to commencement of the test. 

In my opinion this is a much better approach for the following reasons:

  • The test will focus exactly on the technology that is of business concern to the enterprise.
  • Reduced risk of unintended damage and downtime caused during an active pen test.
  • Adequate backups can be done prior to the pen test.

If you decide on any sort of pen testing my advice is to discuss the test methodology with respect to several standards and recommended methodologies.  Here are but a few to consider:

What are you trying to identify?

If your goal is to identify security and compliance vulnerabilities then I would suggest you strongly consider the white box pen test or vulnerability assessment.  There is a far better return on investment, in my opinion, of paying for an auditor to find the vulnerabilities, allow you the time to fix them, and then to retest, rather than to pay someone to attempt to breach vulnerability.

The reason for this is quite simple.  The time a pen test team will spend attempting to breach a vulnerability is usually in direct proportion to the amount of money the client is willing to pay for the test. 

So test time is limited.  Not so for a potential hacker.  So money is better spent eliminating rather than testing a vulnerability.

It is also critical to identify exactly what elements of an infrastructure are worth examining for vulnerabilities:

  • Elements facing outward toward the Internet or inward facing towards “insiders”.
  • Applications – web based or otherwise.
  • Server operating systems and configurations.
  • Network security hardware and software.
  • Network telecommunications technology.
  • Network security architecture.
  • Intrusion detection and IT operations response to potential threats.
  • Portable device security / authentication / identity management.

Careful consideration of your business goals should point you in the right direction when choosing your pen test options. Have a secure week.

Possibly Related Articles:
14661
Webappsec->General
Pen Testing Penetration Testing OSSTMM
Post Rating I Like this!
Fd0dd3200ae49f5cdabc124b87df3872
hamza karmani I don't have a word to tell you good artical thanks
1281358285
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.