Information Security Blog

Religion, Politics, & (now) Penetration Testing

Penetration Testing Zealotry

My mother always used to say “you should never discuss religion or politics with others”. As I’m not very knowledgeable in either, nor do they appeal to me very much, it’s been pretty easy to comply with mom’s guidance.

Over the last few weeks I’ve learned that there is one more item to add to that list – “Penetration Testing”. I wrote a blog on Penetration Testing that was intended to stimulate discussion. The hope was that it would move the conversation forward on an industry subject that sorely needs open and candid conversation that can inch us towards a more standard definition of the same. Instead, what I got was highly negative feedback that was delivered with a fervor reminiscent of a religious zealot. The more rationally I attempted to explain my position the more irrational the response – finally I gave up. My argument was pretty simple – scale the test to ensure that the testing activities are proportional to the risks the client is looking to validate; that is, controlled to an acceptable level.

While I understand the value of a black-box penetration test, ongoing vulnerability research, and writing custom exploit code, I find it remarkable that there are practitioners that insist that unless a test includes the same – that it is not a penetration test. To suggest that the right penetration test for the CIA is the same as the right penetration test for a widget manufacturer, ignores basic risk assessment principles. The cost of the control should not exceed the cost of the risk it mitigates. Where a compromised server at a widget manufacturer may be a mildly business impacting nuisance – a compromised server at the CIA may result in thousands of lost lives. Clearly, the extent and rigor of the testing for the CIA should exceed that of the widget manufacturer. I have yet to meet the widget manufacturer who wants to protect himself from custom written exploit code – it’s a risk that they are simply willing to accept.

I have been following a similar debate on another blog this week that I think is interesting and illustrates my point. And no …. I am not either of the folks in the conversation :>)

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

Substantiate the net effectiveness of a mature control environment
Prove to a third party that an environment is secure/trustworthy
Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

How to deal with increasing threats
How to manage multiple regulatory requirements
How to handle client requests for attestation
To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.