Beruflich Dokumente
Kultur Dokumente
f r o m
P i v o t
www.pivotpointsecurity.com
P o i n t
S e c u r i t y
Contents
Introduction .................................................................................................................................................. 3
Optimally Scoping a Penetration Test........................................................................................................... 4
Examples of Well-Scoped Penetration Tests ................................................................................................ 7
Determining if a Well-Scoped Penetration Test is Sufficient ........................................................................ 8
Final Thoughts ............................................................................................................................................. 10
[2]
Introduction
It may seem especially odd that we would publish a white
paper entitled Stop Wasting Your Money on Penetration
Testing when 40% of our revenues are generated by
Penetration Testing. To be clear we are not advocating
that penetration testing has no value rather, that
penetration tests are often used in a manner that is
inconsistent with achieving the assurance an organization
seeks. This is exacerbated by a growing (and incorrect)
perception that penetration testing is a commodity and
therefore all penetration tests are the same. In reality, they
are not defined and executed with equal extent and rigor.
[3]
For example:
For a bank, the failure to conduct an appropriate penetration test can result in regulatory
sanctions;
For a service provider the inability to provide third party attestation to their security posture can
result in the loss of critical customer contracts; and,
For a federal agency, the failure to conduct appropriate security certification and accreditation
activities (including penetration testing) can result in non-compliance with federal laws and
regulations.
3. Validating that a Penetration Test is the Optimal Tool to Achieve Objectives
While penetration tests are often an effective mechanism to rapidly gain a perspective on the current
security posture it is important to note there are many critical elements of security that are not directly
assessed (e.g. system logging 1, incident response). That is why it is especially dangerous to rely on
penetration testing as the sole form of validation that security controls are appropriately designed, in
place, and operating as intended.
1
System logging can be addressed if a Vulnerability Assessment is run with administrative privilege.
[5]
[6]
[7]
[8]
Where risk is low, and the main business objective of the engagement is to garner a third partys opinion
for attestation or independent review, then a stand-alone penetration test may be sufficient.
However, where risk is higher or the objectives of the engagement are more complex, then a more
complete security audit is likely warranted. A full security audit provides a much higher level of
assurance by integrating all three core elements of a security assessment:
Design Assessment activities which evaluate the appropriateness of controls by comparing the
control design against the client's control objectives, industry good practice, laws/regulations,
and/or the auditor's professional judgment (e.g. an Application Architecture Review);
Compliance Assessment activities which validate that the control measures established are
working as designed, consistently, and continuously (e.g. a Password Audit); and,
Substantiative Assessment activities that provide the auditee with assurance that the "net"
control objectives are being achieved, and where they are not, provides a measure of
probability and business impact (e.g. a penetration test).
When executed in combination, an organization receives the highest level of assurance possible, which
includes:
The design of the controls are reasonable and appropriate to the risk and in accordance with
organizational standards and prevailing good practice;
Evidence is gathered to validate that the organization is complying with the controls that have
been evaluated; and,
Appropriate tests are performed to validate that controls are effectively mitigating the risks
specified.
For example, when looking at Network Security we may choose some combination of the following
activities based on the network's complexity, risk profile, and the importance of specific controls to
reducing risk. The order they are presented in may or may not be the logical order that a particular
situation may warrant.
[9]
Final Thoughts
A penetration test is a lot like a bikini, what it reveals is suggestive but what it doesnt may be vital. That
is, Penetration Tests infer the net effectiveness of the environment by statistically sampling those
control elements that can be readily analyzed from the testing perspective. Because penetration tests
can often tell you a lot about your environment in a relatively short time frame, they can be an excellent
mechanism to provide assurance or rapidly identify control deficiencies. However, appropriately
defining the scope is critical to achieving a reasonable level of assurance.
Where risk is higher, a penetration test probably is not the optimal way to gain assurance and should be
supplemented with other security assessment activities to ensure the testing is reasonable and
appropriate to the risk. Remember:
[10]