Pen testing (aka penetration testing) is an ongoing debate, but it's also the subject of a great deal of misunderstanding. Talk about it with fellow sysadmins over lunch and you're likely to hear a few different opinions on what it is and why you should or shouldn't get involved. So, which is it: Do you need to be doing it, and if so, how often?
What It Is and What It Isn't
A buddy over at your cloud supplier just told you penetration testing is the same as a vulnerability scan, whereas the helpdesk rep next to you says it's a compliance audit. Your boss calls it a security assessment. They're all wrong, and yet just a little bit right: Properly conducted pen testing will tell you what the real-world effectiveness of your existing security controls are when facing an active attack by a legit cybercriminal. The test doesn't just find vulnerabilities; it tells you how big the holes are.
What Will Pen Testing Tell Me?
Properly performed, pen testing will at least:
- Determine the feasibility of certain attack vectors
- Assess the magnitude of operational impacts by successful attacks
- Provide evidence that your department needs a bigger budget
- Test the department's ability to detect and defend against agile attackers
- Identify vulnerabilities that a simple vulnerability scan or security assessment will miss
- Help you meet industry compliance specifications such as PCI DSS and HIPAA
Is It Worth It?
Even a cheap, automated IP-based test isn't cheap. The services and software that perform in-depth testing can be pretty expensive. When deciding how to go about this testing, you need to decide how important your company's data and IP is, and what it's worth. The average cost of a data breach to the company is estimated to be more than $3 million. The Target data breach in 2013? Earlier this year, the big-box retailer declared costs to be $162 million in 2013-2014, not including lost business and potential expenses incurred due to class-action lawsuits.
How Often Should Pen Testing Happen?
Those handling sensitive credit-card data are (or should be) well-versed in the Payment Card Industry Data Security Standard (PCI DSS). This standard actually requires that you perform pen testing annually, as well as after any system changes. Add to this list when end-user policies are changed, when a new office goes online and when security patches are installed — and you've got a solid idea of when a pen test should take place.
In-House or Farmed Out?
Although you may break out the toolbox when your car needs a belt or hose change, you shouldn't be handling micrometers and a cylinder hone when the engine block needs decking. Take it to a professional so it's done right. Pen testing follows the same principle. For instance, let's say Acme Pen Testing is abundant online, charging as little as $50 for a report on your desk within a few days. But how reliable is that report? Not so much, especially when you're stuck telling the C-suite that a quick review overlooked a vulnerabilty that lost company data. If you're going to pen test in-house, you need people who are specifically trained in pen testing.
Evan Saez, a cyber-threat analyst for LIFARS, recommends using automated tools for in-depth penetration testing. Why? These are the same types of tools that attackers use. Evan recommends Metasploit for a number of reasons, but the main upside is that it has huge base of programmers who are constantly improving it. At the end of the day, the safest pen test has today's standards in mind. Just make sure your cloud-based data is consistent with the same ones.