Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

4/16/2010
03:42 PM
50%
50%

Taking Penetration Testing In-House

Weighing the risks and benefits of do-it-yourself pen testing

Conducting penetration testing in-house rather than using an outside consultant is worth considering for reasons of both cost and security expertise -- but it's also a step not to be taken lightly.

"The advantage of having in-house penetration testers is the focus they provide," says Chris Nickerson, founder of security firm Lares Consulting. "They're able to keep track of the latest exploits and vulnerabilities, constantly monitor systems, and practice and sharpen their skills. But in order to achieve those benefits, they have to be focused. "

Nickerson points out that while some really large enterprises are fielding teams wholly dedicated to testing, for most companies pen tests are only part of the testers' responsibilities. "It's all too common to find penetration tests delayed or put off because the tester has too many other open tickets to deal with," he says.

While even a part-time pen-test specialist on staff can be a step in the right direction, it can also be risky. "The variety of tools available for pen tests today is remarkable, and I pretty much applaud them all," he says. "Metasploit, Canvas, Core, Nessus, and others have spent a lot of time ensuring that installing their agents don't blow the boxes that are being tested. That's the default: Once the agent is installed and it's determined whether or not the exploit works, the agent is uninstalled."

The problem is, the tools also offer high levels of tuning and customization, which in inexperienced hands can lead to problems, Nickerson notes. "The tools themselves aren't a particular danger, but with an inexperienced tester driving and tuning those tools, there's some risk of something going wrong," he says.

Steve Stasiukonis, vice president of Secure Network Technologies, makes a similar point. "Hit a critical server too hard and you can create all sorts of problems," he says. "Even a telnet or pingsweep needs to be run with extreme caution when you're testing the most sensitive systems."

That sort of caution comes as a result of both experience and acquired expertise, Stasiukonis suggests, neither of which are included in off-the-shelf testing products. "Working your way up the ladder takes time, and there's no way around that," he says.

It's best to stage the introduction of internal penetration tests, Nickerson says. "The most business-critical systems should only be approached by the most experienced testers, whether they're internal or consultants from outside the organization."

Can even the most experienced and expert in-house pen tester mount fair tests? Does their unavoidable knowledge of the company they work for automatically compromise their ability to approach their tests as an outsider would? "No question," Stasiukonis says. "But more than that, there's the risk that an internal tester will be too easy on some aspects of the company. Strict password rules, for instance, are one area where in-house testers are sometimes too lenient on the people they work with."

More troubling for him is the potential for in-house testers to overestimate their knowledge of the company they work for. "It's too easy for a staff tester to assume they know everything about the company and its systems, particularly with larger companies. They test against the numbers they know and end up overlooking whole segments or even whole networks."

And company awareness that a pen tester is on staff can compromise the tests, too. "The point of pen testing is to see if your defenses are effective against real-world threats," Nickerson says. "Making the company aware that tests are going on [takes] away that real-world aspect."

He suggests testers notify only those personnel who must know of tests for business and operations criticality reasons.

Perhaps the most frequently touted benefit of in-house testing is cost savings. But there are levels of consideration to take into account here, as well. Nickerson argues that cost must be approached not only from the standpoint of in-house personnel dedicated to pen testing versus the cost of outside pen testers, but also the return on investment of the in-house investment. That investment's return, he says, can extend far beyond the tests themselves and even the security benefits of having skilled testers on staff.

Among the chief returns derived from having an in-house penetration tester or team is education -- the testers' ability to communicate clearly and pointedly why pen testing is a vital component of an aggressive security posture, Nickerson says. Another point to be made: why testing, whether in-house or outsourced, trumps vulnerability assessments.

"Automated vulnerability scans generate a lot of information that may not be 100 percent accurate, may not apply to the company's most critical processes, and may not mean a lot to a not particularly tech-savvy CFO or other executive," he says. "The information is at a lower level of resolution than an effective pen test provides."

An experienced penetration tester, he says, can show the executive exactly why penetration testing is a worthwhile investment.

For example, tell an executive that you have X number of vulnerabilities, and the message may or may not get through. "But show the CFO how those vulnerabilities allow the company's general ledger to be altered and, in doing so, fundamentally alter the history and course of the company, and you've delivered a driver that they can really understand," Nickerson says. "You've provided a clear picture of the real-world impact that vulnerabilities can have, and you've increased the company's security education at the same time."

Nickerson believes the constantly evolving and mutating threat environment will have more and more companies considering the addition of internal penetration testing. "The important thing is to provide the testers with the time and focus that lets them concentrate wholly on testing and on keeping their skills and knowledge up-to-date," he says. "Companies need to keep an eye on the tipping point where leveraging external expertise costs more than investing in having an expert penetration tester on the inside."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.