(Nikk Gilbert is a longtime customer and user of CORE IMPACT Pro)
Penetration Testing vs. Vulnerability Assessment
When I talk about penetration testing, one of the first things that I like to try to accomplish is to dispel the common misconception that vulnerability assessment (VA) and penetration testing are essentially the same process.
For, while both stand as important elements of the overall vulnerability management ecosystem, each has its own unique and important value.
What separates the two you ask? Typically it’s a stack of paper reports listing assessment results about 5 inches thick – full of false positives – produced by the VA tool; in my most recent set of tests, it was actually more like 20 inches thick, representing the results of tests covering roughly 225 machines.
And while vulnerability scanning provides useful, if not voluminous results that tell us where all of our existing flaws may be, we depend on penetration testing to help us dig through all that information to illustrate where our most important, pressing security weak points really reside.
Having used CORE IMPACT Pro for the past four years and having been a pen tester for a few more, my take is that it’s one of very few tools that can help you steer clear of the data overload at the hands of VA tools. When you have 50,000+ IP addresses, only IMPACT Pro can give you the speed and surgical precision you need to calculate risk across a large enterprise.
There Is a Method to the Madness
Penetration testing is really about following a well-defined set of methods to ascertain certain types of information about your IT security standing. Clearly, that's much more interesting than the simple rush that, "Oh gee, I hacked a system.”
Yet, at the same time pen testing is just one tool in an arsenal of many which help you get a bigger and better picture of your current level of IT security.
There is also a lot to be said for making the business case for pen testing inside your organization. The deliverables and benefits produced by this process, the depth of penetration, the needed follow-up based on the results from testing and the capability to highlight different types of return on security investment (ROSI), are significant drivers just to name a few.
It is true that sometimes legal and HR issues can turn pen testing into a minefield. That’s why internal partnering with numerous departments within your organization is clearly the smartest path to gain support for these efforts. It is extremely important to have this part of the process well-defined long before you start your testing. Especially if you’re going to be touching any user data or crossing international boundaries that stakeholders are likely to worry about.
Secret Squirrel It’s Not
It’s also important to realize that the majority of the time your pen testing activities are NOT going to be conducted in secret. It can’t be stressed enough how important it is to let people know that you’re going to conduct this testing.
What? Tell people? How is this possible?
Well from a technical perspective, imagine that you’re conducting a pen test and you cause a glitch in one of the local servers. While you hope this doesn’t happen, letting IT operations know about your pen testing plan ahead of time can save hours of unnecessary troubleshooting on their part. It’s just common sense to let everyone know.
Along with that is notification to the IDS/IPS Admins and firewall management teams. When pen testing, all types of bells and whistles can be set off, even if only the most basic security protections are in place.
All things considered, penetration testing is an important part of any organizations’ overall IT Security and Risk Management portfolio.
When planned, pitched and conducted correctly, it really is extremely valuable.
-Nikk Gilbert, CISM, CISSP, Senior Information Management Professional