Penetration testing

Pros and cons in penetration testing services: The debate continues

Daniel Brecht
November 30, 2016 by
Daniel Brecht

Those who keep up with current events on InfoSec are aware of the increasing number of significant cyber data breaches impacting industries like health care, government, finance and retail, to name a few. This surge has not only stirred media attention, but it has also forced companies of all sizes to take a hard look at their security control measures, or lack of, to protect their information. Many resources have been routed to understand the threats to confidentiality, integrity and availability (CIA) of sensitive information and to provide remediation plans tailored specifically to each organization. A number of solutions are normally considered when trying to safeguard the companies' IT infrastructure. One of the measures that lately has been implemented more often, especially by medium-large companies, is the use of penetration testing services offered by specialists who will, with a company's permission, attempt to breach the security of a network for the purpose to test its robustness to a variety of hacking attacks.

Penetration testing: What is it?

Pen-testing is a systematic process that utilizes tools and applies ethical hacking techniques to accurately assess the systems' risks. Professional pen testers look for and penetrate existing vulnerabilities to strengthen networks security and resilience against evolving threats. So, basically, penetration testing is a hacking simulation conducted with the purpose to create an event as close as possible to a real attack to test an environment's cybersecurity posture, and eventually identify solutions to secure it, limiting exposure to threats and attacks.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Pen-testers are security professionals who have a good mix of theoretical knowledge and hands-on skills. They often have advanced IT degrees, specific training (for example, CEH courses or CPT courses) and often times certifications; some have entered the profession thanks to personal skills and knowledge derived by hands-on work in the field. A good pen tester can be highly effective in revealing the security state of a given system using a variety of intrusion methods similar to those used by malicious hackers. Applying creative techniques and, in many cases, social engineering skills, they are able to identify areas that are vulnerable to an attack and suggest a proper defensive mechanism for the client's IT infrastructure. Often, pen-testers follow the Penetration Testing Execution Standard (PTES) technical guidelines to provide the most value. The procedure consists of seven (7) main sections that walk the professional from all pre-engagement interactions, to intelligence gathering, threat modeling, vulnerability analysis, exploitation, post exploitation and the all-important reporting in which feedback is given to the client. The tester will be evaluating the current IT controls, procedures, policies, and preventions already in place and may suggest additional security countermeasures against cyber breach type incidents to help ensure they are sufficiently mitigated, and make certain of the availability or integrity of the network and associated data.

Yassine Aboukir, an independent security consultant, explains also how there are different types of the systematic approach; a penetration test may be done as either black ("zero knowledge" in which the tester knows nothing about the target), white ("full disclosure" in which the pen-tester has access to the source code and prior knowledge of the target) or grey-box ("partial disclosure" in which only limited information is available) assessments. The type of testing approach depends on the goals of the inquest. For example, a full or partial disclosure assessment could be used initially to identify most vulnerabilities; black box penetration testing could be used later to test the resilience after all countermeasures have been strengthened.

So, how effective is pentesting?

Penetration testing: Appling proactive security to avoid the cost of a breach

Today, data leaks represent one the biggest risks to enterprises of all sectors, industries and sizes—see Notable Data Breaches to learn about many high profile data breaches that occurred over the years. To date, there has been a resurgence in hacktivist activities as is seen in the 2016 Data Breach Investigations Report by Verizon, that tells about data breaches specifically targeting weak areas in computers, networks, applications and websites. As the author of the annual Data Breach Investigations Report (DBIR available for download here), which collects information on and analyzes thousands of breaches every year, Verizon is familiar with the importance of information assurance and vulnerability management; however, even that company had to acknowledge its own breach back in March of this year having identified a security flaw in its own site that permitted hackers to steal customer contact information via the Web. Verizon Enterprise told how it discovered and remediated a security vulnerability on their enterprise client portal. "The irony in this breach" said KrebsOnSecurity, "is that Verizon Enterprise is typically the one telling the rest of the world how these sorts of breaches take place."

What's concerning is that no one is immune to the threat of a data breach, as any organization with sensitive personal or financial info represents a potential target. So, it's never been more pressing to safeguard and protect precious business data with robust solutions that help achieve specific requirements and improve the overall security posture. Doing nothing to test the incident response preparedness of a company is not an option. After all, "it's not a question if your network will be breached, the only question is when," says Gemalto, a digital security company sponsor of the Breach Level Index website that tracks publicly disclosed breaches. A pen test that is able to reveal and explore business critical security issues could be potentially a crucial component for detecting and responding to threats. This practice has not to be confused with that of a 'security assessment' or 'vulnerability scan,' as "pen-testing goes beyond simply spotting the security vulnerabilities to actively chain and exploit them in order to verify whether they constitute a real or false positive and, ultimately, demonstrate the real-world impact they could have," says Yassine Aboukir, an independent security consultant.

Penetration testing can be, then, a useful facet of a multi-layered approach to information security that can make general recommendations for IT infrastructure improvements. As part of a comprehensive information security program, penetration tests can be practical to assess exposures on a regular basis for the purpose to design better controls—e.g., Intrusion Detection (IDS) and Prevention (IPS) Systems—and understand the risk of every online system in more detail during the decision-making process. The hands-on approach gives the flexibility that allows testers to launch a variety of attacks in a range of conditions within the environment to discover critical issues and guide system owners through remediation. However, complete security of the organization's critical infrastructures requires a holistic approach and key departments and functional areas in the work environment to be onboard.

Penetration testing: Pros and cons

There is no question with the numerous security breaches that have taken place recently that penetration testing is a critical component of securing one's information assets on several platform environments.

Penetration testing is done for risk management and compliance purposes with aim to increase awareness about potential risks and suggest ways to improve the security state of an environment with the deployment of suitable defensive controls. "Automated tools can never quite take the place of a finely tuned human mind," stresses ISC2, to perform a much more detailed examination that will help safeguard systems from cyber breaches. However, pen-testing is still subjected to debate.

Pros:

  • Testing enables a proactive security approach.
  • It allows the exploration of real risks and having an accurate representation of a company's IT infrastructure security posture at any given time. It's tailored to the actual systems to be tested and adapts to the changes that are made in real time.
  • It helps investigate data breaches or network intrusions to discover any leads to the leakage of data or theft of intellectual property.
  • It allows gathering of information about the tested system to learn as much as possible about it and perhaps even come across some internal information on the active (or would-be) hackers.
  • It's able to find both known and unknown hardware or software flaws and exploit security vulnerabilities, which can be identified and fixed before they are exploited in a much more effective way that with automated tools. Penetration testers might be able to identify patterns by looking at smaller vulnerabilities that are part of a more complex attack system but that won't be of much concern if analyzed individually.
  • It is able to assess and validate the efficacy of one's defensive mechanisms far beyond the depth of analysis provided by a vulnerability assessment in identifying whether any weaknesses are originating from human errors or technical issues.
  • It allows the real-world testing of company IT policies and procedures in place and of the employees' assurance readiness by applying not only tools but employing techniques like social engineering and phishing.
  • It gives the possibility to test any system with attacks that are as close as possible to real-world incidents thanks to the work of professionals that think and strike like most malicious hackers would.

Yet, penetration testing also has its downsides too and should not be the only method used to work on securing systems.

Cons:

  • It is very unlikely that a pen-tester will find all the security issues or will solve all problems when probing or scanning for vulnerabilities and generating an automated report. It is not a full security audit.
  • It takes a pen-tester more time to inspect a given system to identify attack vectors than doing a vulnerability assessment, being the test scope is greater. His or her actions can also be disruptive for the business activities as they mimic a real attack.
  • It is high-labor intensive and can therefore represent an increased cost and some organizations might not be able to allocate a budget to do this. This is especially true when an outside firm is hired to carry out the task.
  • It might give a false sense of security. Being able to withstand most penetration testing attacks might give the sense that systems are 100% safe. In most cases, however, penetration testing is known to company security teams who are ready to look for signs and are prepared to defend. Real attacks are unannounced and, above all, unexpected.

In addition, there are real legal issues associated with doing a proper Penetration Test. According to the ISC2 Government Advisory Council Executive Writers Bureau "the use of pen-testing in an organization represents a multifaceted debate. Why? The act of pen-testing is often questioned regarding the relative value of the activity, the amount of trust we can (or cannot) place in the testers themselves (after all, they're being paid to break into an organization's network and devices), and the theory that pen-testing essentially legitimizes bad behavior that used to be the exclusive domain of the criminal element."

Security outsourcing may be, for some, best for their situation. A recent survey, conducted by OnePoll on behalf of LogRhythm, found that 70% of breaches were detected by a third party, rather than by the organization itself. So, it's a good idea to bring a fresh view from the outside periodically to perform penetration testing, which should not be a one-time exercise to analyze vulnerabilities, fix security issues and safeguard sensitive data. However, outsourcing security in which a service provider is called in might actually increase risk. Companies need to be cautious when outsourcing penetration testing services as it requires implicit trust in the third-party vendor and its ability to vet employees and provide trustworthy, trained, experienced consultants. Pentesters have necessarily access to large amount of information and, theoretically, could leave backdoors and vulnerabilities in the system during their testing. So, before a company has a third party go ahead and install software on the target devices to do more in-depth probing, it is important to check for proven customer service and an excellent track record.

In addition, when consulting with experts where appropriate, the company doing the outsourcing should always know what the testers are doing; it's important to "address the security level, legal responsibilities, privacy issues and risks associated with the service," as addressed, for example, in the Digital Service Standard (point 7 (understand security and privacy issues) of the Gov.UK website's Service Design Manual regarding the delivering of digital services. It's good to set the rules of engagement and set limits on what may and may not be exploited. What's more, it's prudent to make sure that each recommended remediation includes a caveat that the solution is thoroughly tested before it is implemented, as noted on Neil Roiter's CSO article, "Penetration tests: 10 tips for a successful program".

Conclusion

Security analysts are concerned the significant number of online breaches that continue to be unabated; penetration testing can help in fixing the vulnerabilities that are distributed in the network and by strengthening the security of the systems against potential attacks that are increasing in number and sophistication.

Is penetration testing worth it?

Penetration testing should not be considered a single protective measure but an important component of a holistic approach to security that goes from the use of protective automated tools to frequent internal security audits to training of employees in cyber awareness. American security technologist Bruce Schneier says "defending [computer systems] often requires people who can think like attackers." The point of penetration testing is "protection, detection and response–and you need all three to have good security." That being said, pen-testing services will put to the test systems to determine, if any 'weak-points' exist and if it can be broken into or not. It can be a valuable service that should be part of business plan and maintenance. Lately, there have been more businesses reaching out to talk with an information security expert about performing penetration tests on a regular basis as part of compliance audits. Pentesters possess the tools and hacking techniques using both manual and automated methods to identify weak links in any IT infrastructure that may provide access to sensitive information and are able to assess one's overall security posture before attackers do; thus, they can be the first step in preventing breaches from happening.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Sources

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.