The latest issue of CRYPTO-GRAM had a number of interesting articles,
and in particular, one regarding penetration testing. Those of you who
attended the SANs training recently will recall Eric Cole mentioning
many times his company doing pen testing. Here is the article, for those
of you who don't subscribe to CRYPTO-GRAM.
** *** ***** ******* *********** *************
Is Penetration Testing Worth It?
There are security experts who insist penetration testing is essential
for network security, and you have no hope of being secure unless you
do
it regularly. And there are contrarian security experts who tell you
penetration testing is a waste of time; you might as well throw your
money away. Both of these views are wrong. The reality of penetration
testing is more complicated and nuanced.
Penetration testing is a broad term. It might mean breaking into a
network to demonstrate you can. It might mean trying to break into a
network to document vulnerabilities. It might involve a remote attack,
physical penetration of a data center or social engineering attacks. It
might use commercial or proprietary vulnerability scanning tools, or
rely on skilled white-hat hackers. It might just evaluate software
version numbers and patch levels, and make inferences about
vulnerabilities.
It's going to be expensive, and you'll get a thick report when the
testing is done.
And that's the real problem. You really don't want a thick report
documenting all the ways your network is insecure. You don't have the
budget to fix them all, so the document will sit around waiting to make
someone look bad. Or, even worse, it'll be discovered in a breach
lawsuit. Do you really want an opposing attorney to ask you to explain
why you paid to document the security holes in your network, and then
didn't fix them? Probably the safest thing you can do with the report,
after you read it, is shred it.
Given enough time and money, a pen test will find vulnerabilities;
there's no point in proving it. And if you're not going to fix all the
uncovered vulnerabilities, there's no point uncovering them. But there
is a way to do penetration testing usefully. For years I've been saying
security consists of protection, detection and response--and you need
all three to have good security. Before you can do a good job with any
of these, you have to assess your security. And done right, penetration
testing is a key component of a security assessment.
I like to restrict penetration testing to the most commonly exploited
critical vulnerabilities, like those found on the SANS Top 20 list. If
you have any of those vulnerabilities, you really need to fix them.
If you think about it, penetration testing is an odd business. Is there
an analogue to it anywhere else in security? Sure, militaries run these
exercises all the time, but how about in business? Do we hire burglars
to try to break into our warehouses? Do we attempt to commit fraud
against ourselves? No, we don't.
Penetration testing has become big business because systems are so
complicated and poorly understood. We know about burglars and
kidnapping
and fraud, but we don't know about computer criminals. We don't know
what's dangerous today, and what will be dangerous tomorrow. So we hire
penetration testers in the belief they can explain it.
There are two reasons why you might want to conduct a penetration test.
One, you want to know whether a certain vulnerability is present
because
you're going to fix it if it is. And two, you need a big, scary report
to persuade your boss to spend more money. If neither is true, I'm
going
to save you a lot of money by giving you this free penetration test:
You're vulnerable.
Now, go do something useful about it.
This essay appeared in the March issue of "Information Security," as
the
first half of a point/counterpoint with Marcus Ranum.
http://informationsecurity.techtarget.com/magItem/0,291266,sid42_gci1245619,00.html
or http://tinyurl.com/yrjwol
Marcus's half:
http://www.ranum.com/security/computer_security/editorials/point-counterpoint/pentesting.html
or http://tinyurl.com/23ephv
** *** ***** ******* *********** *************
