For some organisations, penetration testing is merely a compliance requirement that they hope will find the minimum of weaknesses. For others, it’s a key step is discovering where their weaknesses lay, so they can fix them.
But is pen-testing too often an afterthought, taking place after systems have been developed and installed? And how is penetration testing dealing with the increasing complexity of organisations’ environments?
We talked to Mark Raeburn of Context Information Security who explained that there is still a big issue in getting organisations to understand the difference between a pen-test and a vulnerability assessment.
Keeping up with emerging threats and vulnerabilities has always been a challenge, he says, but now pen-testers also face increasingly complex environments. The customer’s systems may contain elements that they don’t own – such as cloud services and employee’s personal devices. Both are usually out of scope – ie, off-limits to the pen-test – in the case of BYOD devices because they hold personal data. So is producing meaningful results from pen-tests becoming more difficult?
Increasingly, the answer that customers want from a pen-test is, ‘am I secure’? And that’s actually a bigger question than pen-tests have, traditionally, been designed to answer. It involves a lot more than finding a few holes in the network. So pen-testers are adopting a more aggressive, red team approach. Partly, this is a response to the concerns organisations – particularly in the government & finance sectors – have about determined and skill cybercrime groups and state-sponsored hacking.
In addition, how realistic are customers about their vulnerabilities and the threats out there? Are they too easily swayed by the latest headline-grabbing threats while ignoring more mundane issues?
And as companies finally start getting to grips with risk, how does this map to penetration testing?
Raeburn also explains how he believes pen-testing should be far more integrated into development and management processes, and the purchase of third-party software and services – and not be thought about as something you do later when everything’s in place.