Pen Testing for Low Hanging Fruit - Part 3 of 7

Tuesday, October 19, 2010

Bryan Miller


Why Should We Test? - Part 3 of a 7-part series- (Part 1 Here) (Part 2 Here)

Some of the many reasons that have been voiced over the years for not performing a penetration test include:

  • "We already know where everything is broken".
  • "If you tell us what's wrong, we'll have to fix it".
  • "We don't have anything that hackers want".
  • "We're too small to matter".
  • "We haven't fixed the things you found broken last time."
  • "Our employees don't know how to do bad things."

Information Technology security and privacy vendors add some amount of Fear, Uncertainty and Doubt (FUD) [5] to the decision-making process. 

The thought is that if you scare clients enough they will spend money on your products and services.  This tactic may have worked 5-10 years ago but not today. 

With the amount of security information available on the Internet it is hard to bluff your way into a client's wallet. 

In reality, FUD will usually deter a client from spending money instead of encouraging them. 

Companies today want honest, straightforward advice on the best and most economical solutions to help them meet their security and privacy concerns.

While there aren't right and wrong responses to each of the objections specified earlier, I certainly feel there are more and less appropriate responses. 

One appropriate response is to remind the client of their obligation to protect the sensitive information they possess on their employees, clients and customers. 

There are many privacy concerns relating to employee information that need to be addressed.  Simply hoping that your employees or contractors are honest and wouldn't try and access unauthorized information is not enough. 

Each organization has some responsibility to implement appropriate security and privacy controls and to periodically test those controls.

Where appropriate, an appropriate and effective response is to help the client understand that security and privacy compliance is often mandated by state or Federal law. 

It is unfortunate but true that some organizations would not otherwise provide a sufficient level of information security unless required so by law. 

Given the many different statutes that are in effect today it is hard to imagine having to explain to a company why these privacy regulations are needed. 

It is important to convince that complying with privacy regulations makes sense for reasons other than simply complying with existing laws. 

Compliance is good because in the long run it saves the company time, money and reputation. 

Employee lawsuits due to privacy violations cost companies millions of dollars each year and often results in employees and customers losing respect in the integrity of the company. 

The effects of privacy and security violations are seen in the news each week, with companies receiving fines and bad publicity for each violation. 

Some companies never fully recover from large security or privacy breaches. 

Others will recover but carry that stigma for a long time and spend large amounts of money in advertising campaigns designed to bolster their corporate reputation.   

Possibly Related Articles:
Pen Testing Penetration Testing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.