Does your organization have a blind faith policy when it comes to your network's defenses?
When undergoing penetration testing, it matters whether these hands belong to your network team or not.
If so, hackers may not be the only ones eyeing up your network. Industry regulators, it turns out, won't be terribly keen on the idea that your efforts to ward off hackers may have gone untested.
Penetration testing (pen test) describes a process whereby a company contracts with a security firm - and/or uses its own security gurus - to attempt to break into a network and its resident systems by using a variety of exploits and methods.
Several variables come into play. For instance, "hackers" may or may not have a full picture of the target network. There are also issues surrounding the delineation of duties.
Ideally, if a company does decide to go the internal route for any part of this process they should have a dedicated security team handle it. After all, if the same IT group that manages network oversees the testing, they may be predisposed to avoiding situations that expose shortcomings.
Essentially, they may be simply too close to remain objective. Independent teams and third-party contractors have no such allegiances and are more likely to be ruthless in their critique of your network. And no matter how bad the news, you'd much rather hear it from them than have it splashed across your favorite IT news site.
AO members discuss the importance of undergoing penetration testing as a worthwhile exercise, despite the cost, especially if your company conducts business online.
Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.
Deeboe's employer is debating the wisdom of undergoing penetration testing.
Recently, my organization is questioning the value of Penetration Testing. It turns out the people asking didn't really know what it was to begin with. I am in the process of explaining it to these folks now. However, the question keeps coming up; "What is the value added?" "Why should we continue?" "Who should be doing it?"
So I have a few questions to the mighty AO:
Why do you pen test?
Why don't you pen test?
What is the value?
Who (what functions) should be doing the testing?
Why?! In this day and age, why not? thehorse13 replies with:
Regulatory compliance line item (PCI, HSPD-12 and HIPAA in my case) for risk assessment. The GREATEST risk is the unknown. Unless you pen test, you don't know if there are vulnerabilities. Ask your management chain if they are willing to sign off on an unknown risk. Watch how fast the attitude changes.
We use a tier approach to this. First, we ask the vendor for a list of known issues (if they will give it up). Second, we have a third party, BAE is my choice, run the tests. Then we have internal folks, me included, take a crack at it. In the end, we all compare notes. This yields the most effective results but of course costs the most.
HTRegz brings up an interesting point:
I'm not a big fan of having internal employees audit a network, but there is a big IF to that: if they are the network department. If you have a security group that is in no way, shape or form related to the network department, then it's a great idea. But having the network department do the pen test (I've known companies that do this) is useless. Obviously they are going to secure the systems as much as they can and as best they can so they aren't going to get into them.
Lv4 nails the crux of the issue for most businesses: the bottom line.
What is the value? Finding and patching a hole before it can be exploited. We are a multi-billion dollar company and all of our business is done over the Internet. If I can find and patch a hole that would have cost the company a few million dollars then I have done my job. If I don't find that hole, or we never even looked for it, then the company is hurt financially and their reputation is tarnished.
Not convinced yet? Click here for the full thread.