8 Keys to a Successful Penetration Test8 Keys to a Successful Penetration Test
Pen tests are expensive, but there are key factors that can make them worth the investment.
September 19, 2018
In 1880, Prussian Field Marshal and military theorist Helmuth von Moltke the Elder wrote what can be translated in English as, "No plan of operations reaches with any certainty beyond the first encounter with the enemy's main force." He meant that all plans are great until they run into reality.
That statement resonates today in cybersecurity. Many security professionals vet their security plans with reality via a penetration test, aka pen test, where a red team of white-hat hackers does their best to defeat the defenses established by the blue team of security. It is frequently an eye-opening experience for the blue team and their managers.
While virtually every security plan for an organization of any size calls for pen testing, these exercises tend to be expensive and frequently disruptive. It pays to make them as effective as possible. So what's the difference between a costly pen test that puts a tick in a check box versus one that's a legitimate tool for improving security?
Putting in the work to properly prepare for a pen test can lead to solid security benefits for the organization. More than half of the steps to a solid pen test occur prior to when the testing begins. That's not terribly unusual - aphorisms about practice, planning, and perfection are common - but it reinforces the idea that pen testing is not the sort of activity that can be taken lightly. And if it's going to be most effective for the organization, it can't be taken as an activity just for the sake of making auditors, regulators, or insurers happy.
The following steps for a successful pen test were gathered from personal experience, conversations with professionals including Tod Beardsley, director of research with Rapid7, Yonathan Klijnsma threat researcher at RiskIQ, and Stephen Boyer, founder and CTO of Bitsight Technologies, as well as numerous discussions with researchers at Black Hat USA and DEF CON 2018.
Have you been part of a pen test that has been highly valuable - or not? What steps did you find critical to making the pen test matter? Let us know in the comments section below.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingDec 12, 2023
SecOps & DevSecOps in the CloudDec 14, 2023
What's In Your Cloud?Jan 17, 2024
Everything You Need to Know About DNS AttacksJan 18, 2024
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
2022 Insurance Industry Cyber Threat Landscape Report
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report