March 20, 2013
Penetration testing is a security protocol that many organizations undertake against their systems, servers or networks as a means of testing vulnerability to attacks by hackers. This kind of security examination consists of simulating attacks from either outsiders with no special insider knowledge of system defenses or from insiders with some confidential knowledge of security implementations.
As a procedure for checking if a company’s, organization’s or system’s digital security mechanisms are good, penetration testing can be highly effective under most circumstances; especially if performed thoroughly to simulate a wide series of potential threats under different circumstances.
However, like any security checking mechanism, Penetration testing is not perfect and it has both its pros and cons. Ultimately, a pen test is only a single (albeit large) component of a full scale security audit that should include other procedures like staff interviews, software and hardware vulnerability scans and an analysis of physical access to important systems.
Why Penetration Testing is Vital
A robust network or system can only maintain its strength if it is constantly put through “trial by fire” in a systematic way that is always working to eliminate its security weaknesses and push the system into constantly evolving forward to resist the latest attack vectors out there.
Since the art of hacking itself is constantly pushing to keep up with and break the latest software security and intrusion protection processes, organizations that don’t want to fall victim simply have to do the same on an ongoing basis. It’s especially vital for them because they are working against a distributed threat structure while relying only on themselves to fight it.
For these reasons and others, every company should have a dedicated team that’s always trying its best to test the organization’s anti-intrusion safety and, at the very least, use the services of hired individuals or even software based pen tests such as Metasploit, Canvas, or Core IMPACT to frequently check their systems for holes. The investment in time and money may seem costly but it pales in comparison to the sorts of costs that can be poured upon an organization that gets lazy and lets its clients or internal data get stolen, destroyed or interfered with.
Pros and Values to Penetration Testing
There are a number of excellent value points that come from conducting robust penetration tests. These include but are not limited to:
• Determining the likelihood of a variety of different attack vectors based on your system’s existing infrastructure.
In essence, no two hacks will be exactly the same and whether your potential intruders use application-based attacks such as SQL injection or using cruder methods that rely on tricking employees into granting unwanted systems access will depend entirely on your specific set of circumstances and infrastructure development. A penetration test can discover exactly what these circumstances are and help you fix them as well as the underlying weaknesses that allow them to exist.
• Identifying select high-risk weaknesses that exist thanks to a combination of smaller vulnerabilities.
Many otherwise secure organizations that maintain strict large-scale security policies are still weak to penetration thanks to numerous tiny leaks that can lead to intrusion disaster if exploited in just the right sequence of events. These small weaknesses could be software related, code related or, more commonly, be the product of numerous minor cases of employee negligence in sticking to strict security protocol.
Through a robust and multi-faceted penetration test, a company can root many of these small vulnerabilities out and patch them up in a way that breaks a hacker’s capacity to create intrusion sequences from small, steady efforts at prying little cracks wider.
• Identifying weaknesses and cracks that are impossible to detect through automated security systems.
One of the biggest benefits to a robust penetration test that’s conducted by trained human professionals is its usefulness in detecting exactly the kind of weaknesses that human attackers are most likely to take advantage of. Since penetration testers are in essence being paid to pretend they’re genuine hackers trying to breach a system, their procedures and behavior will mimic the clever rigor of such threats and automated penetration prevention software is often too rigid to simulate this sort of approach.
However, since most real attackers are going to be human or at least humans directing different malicious code tools, a robust audit through human directed pen testing is a company’s only real way of knowing just how vulnerable it is in the real world of constant, highly-clever attacks on valuable data.
• Testing and improving the strength and response ability of network or system protection.
The ultimate and most powerful benefit of pen testing lies in its value as a training tool for network security staff and their automated protection protocols/software. Without live, real-time tests of actual vulnerabilities in a company’s actual network or data systems, no security team can ever really know just how strongly they’ve set up their data protection protocols.
Hypothetical protection value is great but, unless submitted to completely real testing of its robustness and improved accordingly, it can fail catastrophically against the deeply multi-faceted and innovative efforts of actual bad guy scenarios.
A Few Cons to Worry About
Despite all of its benefits, not every aspect of penetration testing is completely rosy in its helpfulness. There are a number of reasons for this but three crucial potential cons need to be taken into consideration:
• Tester Trustworthiness
The bottom line behind all penetration tests is that the company doing them is actually hiring people to try to break into its systems. While the practical and inescapable value of this has already been covered above, the people normally being hired to perform these attacks are still hackers and, in many cases, the same types of hackers whose experience was gained from breaching systems for illegitimate reasons.
This creates an obvious trust issue that isn’t as easy to resolve as it seems: On the one hand, organizations that wish to test their own vulnerabilities might decide to simply avoid being compromised by using their own in-house staff along with a package of powerful pen test software tools. However, this can be costly, ineffective due to employee inexperience since, ultimately, the best possible idea of how strong something is against attackers can only be had by inviting the attackers to try breaking into it.
A decent possible solution is to carefully pick out a highly reputable firm that has a track record of trustworthiness and problem-free client satisfaction.
• Unrealistic Test Conditions
Another potential detriment to regularly scheduled penetration tests is the possibility of them breeding a sense of complacency or unrealistic levels of preparedness among in-house digital security staff: Because they know when a test is going to come, they prepare well in expectation and perform well against the pre-planned intrusion.
The result is a sense of strength that isn’t entirely justified by the situation; real life attacks will always come without expectation and they will often arrive in ways that are highly creative and very hard to plan for at all. This is, after all, exactly how hackers continue to succeed against network security systems, despite the billions invested in the data protection industry.
A possible solution to this danger is to conduct intermittent “unannounced” pen tests whose scheduling and occurrence is only known to the hired attackers and upper management staff instead of every security employee, as would be the case with “announced” penetration tests that everyone has planned for in advance. The former may be better at detecting realistic weaknesses.
John Dayton is no stranger to writing poignant material about the tech industry. When he’s not writing, you can find him reviewing LWG Consulting. Check out what they’re all about by visiting their page about structural failure analysis.