03:42 PM

Taking Penetration Testing In-House

Weighing the risks and benefits of do-it-yourself pen testing

Conducting penetration testing in-house rather than using an outside consultant is worth considering for reasons of both cost and security expertise -- but it's also a step not to be taken lightly.

"The advantage of having in-house penetration testers is the focus they provide," says Chris Nickerson, founder of security firm Lares Consulting. "They're able to keep track of the latest exploits and vulnerabilities, constantly monitor systems, and practice and sharpen their skills. But in order to achieve those benefits, they have to be focused. "

Nickerson points out that while some really large enterprises are fielding teams wholly dedicated to testing, for most companies pen tests are only part of the testers' responsibilities. "It's all too common to find penetration tests delayed or put off because the tester has too many other open tickets to deal with," he says.

While even a part-time pen-test specialist on staff can be a step in the right direction, it can also be risky. "The variety of tools available for pen tests today is remarkable, and I pretty much applaud them all," he says. "Metasploit, Canvas, Core, Nessus, and others have spent a lot of time ensuring that installing their agents don't blow the boxes that are being tested. That's the default: Once the agent is installed and it's determined whether or not the exploit works, the agent is uninstalled."

The problem is, the tools also offer high levels of tuning and customization, which in inexperienced hands can lead to problems, Nickerson notes. "The tools themselves aren't a particular danger, but with an inexperienced tester driving and tuning those tools, there's some risk of something going wrong," he says.

Steve Stasiukonis, vice president of Secure Network Technologies, makes a similar point. "Hit a critical server too hard and you can create all sorts of problems," he says. "Even a telnet or pingsweep needs to be run with extreme caution when you're testing the most sensitive systems."

That sort of caution comes as a result of both experience and acquired expertise, Stasiukonis suggests, neither of which are included in off-the-shelf testing products. "Working your way up the ladder takes time, and there's no way around that," he says.

It's best to stage the introduction of internal penetration tests, Nickerson says. "The most business-critical systems should only be approached by the most experienced testers, whether they're internal or consultants from outside the organization."

Can even the most experienced and expert in-house pen tester mount fair tests? Does their unavoidable knowledge of the company they work for automatically compromise their ability to approach their tests as an outsider would? "No question," Stasiukonis says. "But more than that, there's the risk that an internal tester will be too easy on some aspects of the company. Strict password rules, for instance, are one area where in-house testers are sometimes too lenient on the people they work with."

More troubling for him is the potential for in-house testers to overestimate their knowledge of the company they work for. "It's too easy for a staff tester to assume they know everything about the company and its systems, particularly with larger companies. They test against the numbers they know and end up overlooking whole segments or even whole networks."

And company awareness that a pen tester is on staff can compromise the tests, too. "The point of pen testing is to see if your defenses are effective against real-world threats," Nickerson says. "Making the company aware that tests are going on [takes] away that real-world aspect."

He suggests testers notify only those personnel who must know of tests for business and operations criticality reasons.

Perhaps the most frequently touted benefit of in-house testing is cost savings. But there are levels of consideration to take into account here, as well. Nickerson argues that cost must be approached not only from the standpoint of in-house personnel dedicated to pen testing versus the cost of outside pen testers, but also the return on investment of the in-house investment. That investment's return, he says, can extend far beyond the tests themselves and even the security benefits of having skilled testers on staff.

Among the chief returns derived from having an in-house penetration tester or team is education -- the testers' ability to communicate clearly and pointedly why pen testing is a vital component of an aggressive security posture, Nickerson says. Another point to be made: why testing, whether in-house or outsourced, trumps vulnerability assessments.

"Automated vulnerability scans generate a lot of information that may not be 100 percent accurate, may not apply to the company's most critical processes, and may not mean a lot to a not particularly tech-savvy CFO or other executive," he says. "The information is at a lower level of resolution than an effective pen test provides."

An experienced penetration tester, he says, can show the executive exactly why penetration testing is a worthwhile investment.

For example, tell an executive that you have X number of vulnerabilities, and the message may or may not get through. "But show the CFO how those vulnerabilities allow the company's general ledger to be altered and, in doing so, fundamentally alter the history and course of the company, and you've delivered a driver that they can really understand," Nickerson says. "You've provided a clear picture of the real-world impact that vulnerabilities can have, and you've increased the company's security education at the same time."

Nickerson believes the constantly evolving and mutating threat environment will have more and more companies considering the addition of internal penetration testing. "The important thing is to provide the testers with the time and focus that lets them concentrate wholly on testing and on keeping their skills and knowledge up-to-date," he says. "Companies need to keep an eye on the tipping point where leveraging external expertise costs more than investing in having an expert penetration tester on the inside."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.