The "RISKY BUSINESS" Blog

Last week I bemoaned Axe Shower Gel's packaging and noted that we were working on some changes to our Penetration Testing service offerings to better meet our client's assurance objectives.

Over the last 9 years we have found you can generally divide our Penetration Testing clients up into a few broad "stereotypes", clients who:

1. View a penetration test as a necessary evil (e.g., small banks and smaller SAAS providers who conduct them to satisfy a regulatory or customer requirement).

2. Are pretty confident that they have things "screwed down tight" but just want a quick test to make sure.

3. Have a business driver (e.g., regulations, client attestation) and consider penetration testing to be integral to their security program (e.g., larger banks and SAAS providers).

4. Operate in a high threat/high impact environment where penetration testing is viewed as critical (e.g., critical infrastructure, law enforcement, eGovernment).

Recognizing that "one size" doesn't fit all, we have tried to align our Penetration Testing offerings to provide assurance consistent with our clients' varying objectives:

• An Investigative Pen Test - emulates an attacker that doesn't have a lot of time, and doesn't have a lot of tools, and may not even be targeting you specifically. He may stumble upon an interesting portion of your infrastructure during a broader sweep and will leave  relatively quickly if he doesn't find an obvious security problem. Attackers that get in through a blank or default password on an administrative account are Investigative Attackers.

• An Intentioned Pen Test - emulates an attacker that has more time, and a few more tools than the Investigative attacker. More importantly, she has intent. She is targeting you and wants to find a weakness in your network. Attackers that get in by exploiting an unpatched vulnerability in an operating system or network service are Intentioned Attackers.

• A Tenacious Pen Test - emulates an attacker that has time, tools, intent, and determination. She is willing to go the extra mile to make it past your defenses. She may even attempt social engineering to find a way beyond your perimeter defenses. She will do it quietly, though, and take care to go unnoticed. Attackers who convince your help desk to reset an account password for them are Tenacious Attackers.

• A Zealous Pen Test - The primary difference between a Tenacious Attacker and a Zealous Attacker is that a Zealous Attacker won't try to stay under the radar. He will do things that get noticed. He may even intentionally disable access to services to see what happens. More than intent and determination, he has a belief that he needs to breech or damage your systems, one way or another. If he has any worries about covering his tracks, they are secondary to the success of the attack itself. Attackers who crash your mail server and deface your website are Zealous Attackers.

Just as packaging matters when it comes to shower gel, we believe it also matters when it comes to security testing. So choose wisely, and dispense exactly what you need. Remember, "one size does not fit all!"