informa
/
Announcements
Alert
Check out our NEW section called "DR Tech" for comprehensive coverage of new & emerging cybersecurity technology.
Event
Cyber Threats, Cyber Vulnerabilities: Assessing Your Attack Surface | Dark Reading Virtual Event | <REGISTER NOW>
PreviousNext
Analytics
Slideshow

8 Keys to a Successful Penetration Test

Pen tests are expensive, but there are key factors that can make them worth the investment.
Curtis Franklin
Security Editor
September 19, 2018
Know Why You're Testing
Know Your Network
Set the Scope
Build a Strong Plan
Hire the Right Team
In general, we want to be told that we're doing well. It's human nature. But the purpose of a pen test is to show an organiza
Pay Attention to Results
Tell the Story
1/8

In 1880, Prussian Field Marshal and military theorist Helmuth von Moltke the Elder wrote what can be translated in English as, "No plan of operations reaches with any certainty beyond the first encounter with the enemy's main force." He meant that all plans are great until they run into reality.

That statement resonates today in cybersecurity. Many security professionals vet their security plans with reality via a penetration test, aka pen test, where a red team of white-hat hackers does their best to defeat the defenses established by the blue team of security. It is frequently an eye-opening experience for the blue team and their managers.

While virtually every security plan for an organization of any size calls for pen testing, these exercises tend to be expensive and frequently disruptive. It pays to make them as effective as possible. So what's the difference between a costly pen test that puts a tick in a check box versus one that's a legitimate tool for improving security?

Putting in the work to properly prepare for a pen test can lead to solid security benefits for the organization. More than half of the steps to a solid pen test occur prior to when the testing begins. That's not terribly unusual - aphorisms about practice, planning, and perfection are common - but it reinforces the idea that pen testing is not the sort of activity that can be taken lightly. And if it's going to be most effective for the organization, it can't be taken as an activity just for the sake of making auditors, regulators, or insurers happy.

The following steps for a successful pen test were gathered from personal experience, conversations with professionals including Tod Beardsley, director of research with Rapid7, Yonathan Klijnsma threat researcher at RiskIQ, and Stephen Boyer, founder and CTO of Bitsight Technologies, as well as numerous discussions with researchers at Black Hat USA and DEF CON 2018.

Have you been part of a pen test that has been highly valuable - or not? What steps did you find critical to making the pen test matter? Let us know in the comments section below.



 
Next slide
Recommended Reading:
Editors' Choice
7 Ways to Lock Down Enterprise Printers
Steve Zurier, Contributing Writer
What Squid Game Teaches Us About Cybersecurity
Orion Cassetto, Senior Director of Product Marketing at Cycode
'TodayZoo' Phishing Kit Cobbled Together From Other Malware
Robert Lemos, Contributing Writer
From Help Desk to Head of SOC: Building a Cybersecurity Career on Empathy and Candor
Jon Hencinski, Director of Threat Detection & Response, Expel.io
Webinars
More Webinars
White Papers
More White Papers
Events
More Events