Taking Penetration Testing In-HouseWeighing the risks and benefits of do-it-yourself pen testing
Conducting penetration testing in-house rather than using an outside consultant is worth considering for reasons of both cost and security expertise -- but it's also a step not to be taken lightly.
"The advantage of having in-house penetration testers is the focus they provide," says Chris Nickerson, founder of security firm Lares Consulting. "They're able to keep track of the latest exploits and vulnerabilities, constantly monitor systems, and practice and sharpen their skills. But in order to achieve those benefits, they have to be focused. "
Nickerson points out that while some really large enterprises are fielding teams wholly dedicated to testing, for most companies pen tests are only part of the testers' responsibilities. "It's all too common to find penetration tests delayed or put off because the tester has too many other open tickets to deal with," he says.
While even a part-time pen-test specialist on staff can be a step in the right direction, it can also be risky. "The variety of tools available for pen tests today is remarkable, and I pretty much applaud them all," he says. "Metasploit, Canvas, Core, Nessus, and others have spent a lot of time ensuring that installing their agents don't blow the boxes that are being tested. That's the default: Once the agent is installed and it's determined whether or not the exploit works, the agent is uninstalled."
The problem is, the tools also offer high levels of tuning and customization, which in inexperienced hands can lead to problems, Nickerson notes. "The tools themselves aren't a particular danger, but with an inexperienced tester driving and tuning those tools, there's some risk of something going wrong," he says.
Steve Stasiukonis, vice president of Secure Network Technologies, makes a similar point. "Hit a critical server too hard and you can create all sorts of problems," he says. "Even a telnet or pingsweep needs to be run with extreme caution when you're testing the most sensitive systems."
That sort of caution comes as a result of both experience and acquired expertise, Stasiukonis suggests, neither of which are included in off-the-shelf testing products. "Working your way up the ladder takes time, and there's no way around that," he says.
It's best to stage the introduction of internal penetration tests, Nickerson says. "The most business-critical systems should only be approached by the most experienced testers, whether they're internal or consultants from outside the organization."
Can even the most experienced and expert in-house pen tester mount fair tests? Does their unavoidable knowledge of the company they work for automatically compromise their ability to approach their tests as an outsider would? "No question," Stasiukonis says. "But more than that, there's the risk that an internal tester will be too easy on some aspects of the company. Strict password rules, for instance, are one area where in-house testers are sometimes too lenient on the people they work with."
More troubling for him is the potential for in-house testers to overestimate their knowledge of the company they work for. "It's too easy for a staff tester to assume they know everything about the company and its systems, particularly with larger companies. They test against the numbers they know and end up overlooking whole segments or even whole networks."
And company awareness that a pen tester is on staff can compromise the tests, too. "The point of pen testing is to see if your defenses are effective against real-world threats," Nickerson says. "Making the company aware that tests are going on [takes] away that real-world aspect."
He suggests testers notify only those personnel who must know of tests for business and operations criticality reasons.
Perhaps the most frequently touted benefit of in-house testing is cost savings. But there are levels of consideration to take into account here, as well. Nickerson argues that cost must be approached not only from the standpoint of in-house personnel dedicated to pen testing versus the cost of outside pen testers, but also the return on investment of the in-house investment. That investment's return, he says, can extend far beyond the tests themselves and even the security benefits of having skilled testers on staff.
Among the chief returns derived from having an in-house penetration tester or team is education -- the testers' ability to communicate clearly and pointedly why pen testing is a vital component of an aggressive security posture, Nickerson says. Another point to be made: why testing, whether in-house or outsourced, trumps vulnerability assessments.
"Automated vulnerability scans generate a lot of information that may not be 100 percent accurate, may not apply to the company's most critical processes, and may not mean a lot to a not particularly tech-savvy CFO or other executive," he says. "The information is at a lower level of resolution than an effective pen test provides."
An experienced penetration tester, he says, can show the executive exactly why penetration testing is a worthwhile investment.
For example, tell an executive that you have X number of vulnerabilities, and the message may or may not get through. "But show the CFO how those vulnerabilities allow the company's general ledger to be altered and, in doing so, fundamentally alter the history and course of the company, and you've delivered a driver that they can really understand," Nickerson says. "You've provided a clear picture of the real-world impact that vulnerabilities can have, and you've increased the company's security education at the same time."
Nickerson believes the constantly evolving and mutating threat environment will have more and more companies considering the addition of internal penetration testing. "The important thing is to provide the testers with the time and focus that lets them concentrate wholly on testing and on keeping their skills and knowledge up-to-date," he says. "Companies need to keep an eye on the tipping point where leveraging external expertise costs more than investing in having an expert penetration tester on the inside."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.