Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/20/2009
11:43 AM
50%
50%

Tech Insight: 3 Factors To Assess Before Doing Your Own Penetration Testing

What you need to know about bringing penetration testing in-house

With the veil of mystique and enterprise concerns surrounding penetration testing gradually being lifted, enterprises are realizing how a quality, comprehensive pen test can supplement their security efforts and find holes before attackers do -- with the added benefit of meeting PCI DSS requirement 11.3. Now many enterprises are starting to consider whether they should perform pen testing in-house themselves.

The average IT professional views pen testing as a black art. It's an activity often seen as dangerous and counterproductive to an operational environment where testing could impact business and cause downtime, but it's a practice gaining popularity thanks to the annual pen-testing requirement by the PCI Data Security Standards (DSS) and publicity surrounding the recent purchase of the Metasploit Project by Rapid7.

Deciding whether to pen test in-house or outsource the job is a decision not to be taken lightly considering it can cost anywhere from $5,000 to $50,000 or more, depending on the size of the target, scope, and reputation of the testing vendor. A pen-testing product, meanwhile, costs anywhere from a few hundred dollars for a narrowly focused tool to $30,000.

While saving tens of thousands of dollars by purchasing your own pen-test tool sounds good at first, with internalizing the work has its own costs. The investment in human resources, training, and software must be weighed against the potential savings from shelling out big bucks for a third party pen test. Let's examine each:

  • Human resources: The first and most obvious cost to the bottom line is HR. Are there existing personnel within the organization who have the skills and experience to perform a comprehensive pen test? If so, then the next decision is whether their current job duties can coexist with their new pen-test duties. Answering those questions can result in the need to hire new staff to fill in as needed, or to redistribute personnel to make sure all areas are covered appropriately.

  • Training: Training the newly designated pen tester -- or, if you're lucky, a whole pen-testing team -- is the next item on the cost sheet. Time needs to be set aside to attend training either online or at a conference. Online courses, like those from Offensive Security, run as little as $500 to several thousand dollars, while a multiday pen-testing course, like SEC 560 Network Penetration Testing and Ethical Hacking from SANS, is $4,300 for six days.

    Don't forget about retention issues that can accompany adding increased responsibilities on current employees and training both new and current employees. Competent pen-testing skills are very valuable right now, and you'll need to make sure your pen testers' salaries are reasonably competitive with how much they could make elsewhere.

    It's not uncommon for employers to draw up a contract that says the employee must repay part or all of the training expenses if he chooses to leave for another employer within a specific amount of time.

  • Software: Pen-testing software runs the gamut in terms of cost. Exceptional free tools, like the Metasploit Framework and w3af, are available, but they entail a steeper learning curve compared to a polished commercial solution like Core IMPACT. The differences can be measured in the tens of thousands of dollars and hours versus days to become familiar and reasonably comfortable using the different tools. Determining which software to use will depend on budget, organization size, familiarity of the tools by the pen tester, and technologies used by the target.

    Once you've answered the question of whether performing in-house pen testing is cost-effective, you still need to answer the ever important question: Can your team perform a comprehensive test that is objective and doesn't suffer from a myopia that often occurs when the tester is too close to the target organization?

    The upside of performing pen testing with an internal team is they are familiar with the organization, the network, where the critical assets are, and the people. They may end up finding chinks in the company's armor quicker than a third-party pen tester because they have the familiarity and will know where to look first.

    But the trade-off is an internal pen-testing team may be too familiar and comfortable with the target environment and could overlook common issues that someone from the outside may not. Personal relationships may even impact whether they target specific users for social engineering exercises, like a simulated phishing attack.

    Making the decision to staff, train, and maintain an internal pen-testing team is a big one that can have a serious impact on the security of your company -- more than just checking off "YES" on a PCI Self Assessment Questionnaire. It's a good idea to hire a third-party pen-testing firm to follow up on the initial pen tests by the internal team to make sure they're doing a solid job -- and every couple of years thereafter to ensure results are consistent.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Intel Issues Fix for 'Plundervolt' SGX Flaw
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-5252
    PUBLISHED: 2019-12-14
    There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
    CVE-2019-5235
    PUBLISHED: 2019-12-14
    Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
    CVE-2019-5264
    PUBLISHED: 2019-12-13
    There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
    CVE-2019-5277
    PUBLISHED: 2019-12-13
    Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
    CVE-2019-5254
    PUBLISHED: 2019-12-13
    Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...