This terminology has always been a peeve of mine. People asking for a penetration test rarely want an actual penetration test. This is what a penetration test is:
Find a vulnerability, any vulnerability and exploit it to reach your target.
Basically you are hiring someone to break into your system, to prove someone can break into your system. You typically want to define a goal, like “get customer credit card data”, to attempt to determine how well you might have protected that asset. You are basically tasking someone to find one exploitable issue, exploit it, and continue to attempt to gain access to the target asset. Here are the problems with penetration tests:
- They will always be constrained by money. Consults will gladly try to break into your system for a year, if you are willing to keep paying the hourly rate.
- You are going to put some constraints on what the pentesters can and can’t do. Like no Denial of Service Attacks, no attacking certain critical systems outside certain hours.
- You will probably eliminate physical security checks and social engineering.
- A penetration test will not tell you where all your vulnerabilities are, just the one or two that lead o the compromise. This is critical because most pentesters have a few areas they are really good in. I am a good web application tester and social engineer so those are the areas I am going to target. Someone else might be really good at exploiting routers so they will spend all there time there.
Sadly your real attackers are not constrained by any of these things. If your asset is valuable enough they will spend hundreds of hours trying to access it, use any technical means necessary and even socially engineer your employees.
There is one very narrow area where a penetration test can be valuable, testing out your detection, response, and forensics capabilities. These have to be setup very carefully in advance. The consultants need to know that they are attempting to circumvent detection mechanisms, otherwise they are going to throw the kitchen sink at your systems and set off every alarm. Not a very good test. The people monitoring systems should know nothing and I mean nothing, otherwise you are going to taint their response. Consultants need a “get out of jail free card” in case they are caught. This mostly applies to physical penetration attempts but is also helpful on the network side.
You probably want an assessment, where you try to find ALL the vulnerabilities in all the systems. I will admit this is like getting people to stop using the term “hacker” to discuss people that break into computer systems, instead of really good coders.
If you enjoyed this post, make sure you subscribe to my RSS feed!
