When deciding whether a pen test should be conducted, an organization should be trying to answer the following question: "Can someone break into my sensitive assets?" A penetration test's primary purpose is to breach the security of a target in as realistic a fashion as possible. By contrast, the focus of a pen test is not to identify as many vulnerabilities as possible, and it is not to calculate the risk that an asset poses. While hybrid variations do exist, in their pure form those types of security tests would be more accurately termed "vulnerability assessments" and "risk assessments," respectively.
As part of my job, I often encounter people who confuse the terms and wind up asking for one thing and wanting another. I've had clients ask me for penetration testing but to avoid performing any exploitation. Once I even had a client ask me for a "robot test" -- but that's neither here nor there. So remember that when requesting a penetration test, you're really asking for a real-world attack that involves exploiting your targets to determine whether their security can be compromised.
During the years, I've observed a steady increase in the use of penetration testing by organizations attempting to secure their systems. As recently as a few years ago, you would find that the vast majority of organization did not perform any kind of security testing. This is perhaps understandable, as they had no compelling reason to do so other than it being a "good idea" -- like flossing every day. But with the threats facing a company's assets growing in number and sophistication, there has been a corresponding increase in organizational awareness of these risks and an expansion in the effort taken to protect against them. So it should come as no surprise to see that several interested parties have begun pushing for the use of pen testing to validate the security of a system.
But why do organizations ask for penetration testing? In my experience, I've found that the most common reasons a company performs penetration testing to be the following:
- Meeting a regulatory, industry, or customer requirement (e.g., FISMA, PCI, NERC CIP);
- confirming the security of an application as part of the secure development life cycle;
- validating a risk or vulnerability management program's effectiveness;
- proving the (in)security of a system to make (or break) a case; and
- demonstrating the real consequences of unaddressed vulnerabilities
By far the largest driver is the growing number of regulatory and industry requirements calling for this type of testing, usually on an annual basis. In addition, an increase in consumer awareness has prompted companies to also enforce stronger security requirements internally against their own systems as well as against any systems owned by third-party providers. To be blunt, these drivers amount to "because I said so" reasoning. And, of course, you comply if you want to pass the audit or win the business.
Penetration testing is also one of the first activities to be established by development organizations that are in the process of adopting or have already established an active application security program. Usually the pen testing is conducted alongside QA testing or as the final phase before release into production.
Penetration testing can also be used to determine the efficacy of established risk or vulnerability management programs. This type of testing can be seen as a form of security controls testing and is normally performed on an annual basis. Many companies also have security policies that mandate an annual penetration test. Less commonly, although frequent enough to warrant mention, pen testing can be used to prove the (in)security of a system or demonstrate the real world impact of insecure systems and unmitigated vulnerabilities.
Of course, there are many additional reasons for performing a penetration test, but whatever the driver, the test should fundamentally answer the question of whether the security of the system can be breached.
Stay tuned for the next entry in this series on professional penetration testing. I'll discuss the different types and variations of penetration tests in addition to beginning a larger discussion on the different skill levels of penetration testers.
Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. Prior to that, he was a consultant with the Ernst & Young Advanced Security Centers and an analyst at the National Security Agency. He has presented his research at conferences including Black Hat, ToorCon, InfoSec World, SANS, and Microsoft BlueHat. Vincent has been published in interviews, journals, and books with highlights including "Hacking Exposed: Wireless" and "Hacking Exposed: Web Applications."