Essential to enterprise security, or a waste of time? Security professionals' opinions regarding penetration testing (pen testing) seem to fall squarely on either side of the spectrum, but—as with most IT practices—its efficacy depends on application and scope. And while pen testing alone is never enough to prevent data breaches from occurring, information gleaned from such efforts nonetheless play a critical role in bolstering a firm's continuous security mechanisms.
First, a clarification of terms—pen testing is not a concrete set of security practices or structured methodology. Rather, it's a broad term that encompasses a slew of activities for identifying weaknesses in an organization's digital defenses. This could entail the use of specialized tools such as Kali Linux or Backbox to discover exploitable vulnerabilities, carrying out social engineering attacks for testing a data center's physical security controls, or even employing so-called "white hat hackers" to simulate digital breaking and entering. Despite the myriad of activities and programs, the end goal of all pen testing efforts is the same: to improve an organization's security posture and cyber risk exposure.
*Chart adapted from cleverhouseconsulting.com.
By using malicious techniques commonly employed by cyber attackers, pen testers can evaluate the security posture of a web application, IT infrastructure, or even the composite defenses of an organization at large. And while firms engage in these initiatives to mitigate vulnerabilities, overarching business drivers for pen testing include reducing the cost of downtime/mean-time-to-repair (MTTR), preserving the brand's image, maintaining customer confidence, avoiding costly litigation, adherence to industry guidelines and regulatory compliance, and more.
All of the above seem to more than justify pen testing efforts, but in actuality even the most thoroughly tested applications and infrastructures will fall victim to data breaches. This is the disheartening truth of the matter—cyber attackers will always be one step ahead of security. Furthermore, the best pen testers in the world can only work with the knowledge and tools at their disposal; in cases of 0-day vulnerabilities, security professionals are in perpetual catch-up mode when it comes to exploits.
Pen testing critics therefore assert that such activities/programs are waste of time because, at the end of the day, they only confirm one of two things: that an organization's defenses are susceptible to being compromised, or that the pen testers employed aren't skilled enough to carry out a successful attack. Organizations are therefore better off spending their time and resources on more worthy security expenditures (e.g., upgrading to next-generation firewalls, acquiring bleeding edge tools, hiring more IT security professionals).
While it's true that pen testing alone won't prevent data breaches, such efforts are nonetheless critical to an organization's enterprise resilience—that is, its ability to take measured risks in the face of inevitable security compromises. Pen testing, or any security practices for that matter, are ineffective if carried out in a vacuum. The current cyber threat landscape is composed of emerging and evolving threats, as well as opportunistic exploits of simple misconfigurations and faulty deployments. Pen testing is critical for surfacing vulnerabilities and security gaps that could lead to data breaches, but how does a firm quantify its ability to detect and mitigate attacks?
*Image adapted from cnsgroup.co.uk.
To have any lasting effect on the business, it must be integrated into a continuous security framework that includes automatic vulnerability monitoring, patch management, ongoing risk assessment and management, as well as traditional defenses such as perimeter security, intrusion detection, security configuration management, and—last but not least—manual pen testing. UpGuard's resilience platform dovetails into this framework with its OVAL-based vulnerability testing, policy-driven configuration monitoring, and CSTAR scoring for measuring/quantifying enterprise cyber risk. Give it a try today—the first ten nodes are free forever.