The Proper Place for Penetration Tests

By Charles Duckett | September 06 2018

The entrenched belief that a penetration test is critical for probing the weaknesses of an enterprise’s cybersecurity. Attached to that belief is the notion that a penetration test is a stand-alone service able to resolve problems independently. That is simply not the case and could be a waste of time. There must be significant scrutiny to the cybersecurity of an enterprise before a penetration test can even be considered. Neglecting these [a priori/get a better way of saying this] considerations can render the penetration obsolete and worse yet, neglectful of the fundamental problems plaguing the cybersecurity of an enterprise. This is not to say, however, that a penetration test has its place in the arsenal of a well-developed cybersecurity program or initiative. 

A penetration test is meant to find and exploit known vulnerabilities in a system that arise from several symptomatic issues in an enterprise. These include enterprise security misconfigurations, improper segmentation of networks, web exploits, weak authentication mechanisms, etc. It is not meant, however, to be a one-time solution for most if not all cybersecurity issues. 

The natural next question to ask is, what should I do before a penetration test? For starters, there is no value in implementing a penetration test if the current enterprise is not on par or above compliance standards. The system is already self-evidently flawed from a more fundamental level. The same is true if there are underlying problems in the supply chain. There is no need to penetrate an enterprise if the hardware it rests upon is inherently flawed. These considerations must be made before even mentioning a penetration test. 

Another imperative consideration to make before conducting a penetration test is to ensure that the insider threat and cybersecurity awareness of the users interacting with the enterprise are trusted. If the interactions between the enterprise and its users are not secure, then the value of a penetration test is undermined to the point of uselessness. The penetration test will secure the enterprise on a level dependent upon the trust of the users. This means that there is no point in securing misconfigurations if users compromise the system when they get an email from a Nigerian Prince tempting them with gold. Phishing scams aside, the insider threat must be secured first to mitigate the possibility of untrustworthy users bypassing security measures. These threats would also render the penetration test worthless. 

So, where does the penetration test have its place? As this article has attempted to illustrate is that the penetration test has its place as a complimentary measure. It is not a stand-alone service, but instead a service that should be conducted after other foundational aspects of the cybersecurity program are secured. The penetration test, if conducted properly, is extremely effective at securing vulnerable gaps in the enterprise that would otherwise go unnoticed without a comprehensive scan to the entire enterprise. To put this in perspective, the penetration test is akin to effacing cracks in a dam whereas the other more foundational services are akin to the structural integrity of the dam itself. Neglecting the cracks will destroy the dam slowly, but if the dam is made from wood then serious reconsiderations should be made. 

 

About Domain5: 

Domain5 is a committed cybersecurity company dedicated to all aspects of defense. Our support is flexible to any business demand large or small. We possess capabilities that extend from providing CISOs (Chief Information Security Officer) on-demand to compliance advise to risk intelligence and everything in between. These capabilities add up to a holistic experience that reconciles business operations with security demands to the highest possible efficiency. Our service allows your company to take control of the issues you face daily. 

Recent Posts