Vulnerabilities / Threats
11/20/2009
11:43 AM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: 3 Factors To Assess Before Doing Your Own Penetration Testing

What you need to know about bringing penetration testing in-house

With the veil of mystique and enterprise concerns surrounding penetration testing gradually being lifted, enterprises are realizing how a quality, comprehensive pen test can supplement their security efforts and find holes before attackers do -- with the added benefit of meeting PCI DSS requirement 11.3. Now many enterprises are starting to consider whether they should perform pen testing in-house themselves.

The average IT professional views pen testing as a black art. It's an activity often seen as dangerous and counterproductive to an operational environment where testing could impact business and cause downtime, but it's a practice gaining popularity thanks to the annual pen-testing requirement by the PCI Data Security Standards (DSS) and publicity surrounding the recent purchase of the Metasploit Project by Rapid7.

Deciding whether to pen test in-house or outsource the job is a decision not to be taken lightly considering it can cost anywhere from $5,000 to $50,000 or more, depending on the size of the target, scope, and reputation of the testing vendor. A pen-testing product, meanwhile, costs anywhere from a few hundred dollars for a narrowly focused tool to $30,000.

While saving tens of thousands of dollars by purchasing your own pen-test tool sounds good at first, with internalizing the work has its own costs. The investment in human resources, training, and software must be weighed against the potential savings from shelling out big bucks for a third party pen test. Let's examine each:

  • Human resources: The first and most obvious cost to the bottom line is HR. Are there existing personnel within the organization who have the skills and experience to perform a comprehensive pen test? If so, then the next decision is whether their current job duties can coexist with their new pen-test duties. Answering those questions can result in the need to hire new staff to fill in as needed, or to redistribute personnel to make sure all areas are covered appropriately.

  • Training: Training the newly designated pen tester -- or, if you're lucky, a whole pen-testing team -- is the next item on the cost sheet. Time needs to be set aside to attend training either online or at a conference. Online courses, like those from Offensive Security, run as little as $500 to several thousand dollars, while a multiday pen-testing course, like SEC 560 Network Penetration Testing and Ethical Hacking from SANS, is $4,300 for six days.

    Don't forget about retention issues that can accompany adding increased responsibilities on current employees and training both new and current employees. Competent pen-testing skills are very valuable right now, and you'll need to make sure your pen testers' salaries are reasonably competitive with how much they could make elsewhere.

    It's not uncommon for employers to draw up a contract that says the employee must repay part or all of the training expenses if he chooses to leave for another employer within a specific amount of time.

  • Software: Pen-testing software runs the gamut in terms of cost. Exceptional free tools, like the Metasploit Framework and w3af, are available, but they entail a steeper learning curve compared to a polished commercial solution like Core IMPACT. The differences can be measured in the tens of thousands of dollars and hours versus days to become familiar and reasonably comfortable using the different tools. Determining which software to use will depend on budget, organization size, familiarity of the tools by the pen tester, and technologies used by the target.

    Once you've answered the question of whether performing in-house pen testing is cost-effective, you still need to answer the ever important question: Can your team perform a comprehensive test that is objective and doesn't suffer from a myopia that often occurs when the tester is too close to the target organization?

    The upside of performing pen testing with an internal team is they are familiar with the organization, the network, where the critical assets are, and the people. They may end up finding chinks in the company's armor quicker than a third-party pen tester because they have the familiarity and will know where to look first.

    But the trade-off is an internal pen-testing team may be too familiar and comfortable with the target environment and could overlook common issues that someone from the outside may not. Personal relationships may even impact whether they target specific users for social engineering exercises, like a simulated phishing attack.

    Making the decision to staff, train, and maintain an internal pen-testing team is a big one that can have a serious impact on the security of your company -- more than just checking off "YES" on a PCI Self Assessment Questionnaire. It's a good idea to hire a third-party pen-testing firm to follow up on the initial pen tests by the internal team to make sure they're doing a solid job -- and every couple of years thereafter to ensure results are consistent.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Flash Poll
    Current Issue
    Cartoon
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-1544
    Published: 2014-07-23
    Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

    CVE-2014-1547
    Published: 2014-07-23
    Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

    CVE-2014-1548
    Published: 2014-07-23
    Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

    CVE-2014-1549
    Published: 2014-07-23
    The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

    CVE-2014-1550
    Published: 2014-07-23
    Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

    Best of the Web
    Dark Reading Radio
    Listen Now Botnet Takedowns: Who's Winning, Who's Losing
    Sara Peters hosts a conversation on Botnets and those who fight them.