Penetration testing: an enterprise guide
Davey Winder investigates the role of penetration testing within the enterprise: What is it and why do you need it?
"Systems could stop working due to configuration issues introduced by the enterprise and these will be out of the control of the testing organisation," Kyriacou continues. "However, penetration testing organisations also have a duty of care. They need to ensure that they do not actively test for Denial of Service (DoS), which could bring systems down unless authorised to do so."
But, while agreements can be tailored, typically they are the same for most enterprises. That said, there may be specific requirements such as actively testing for any Denial of Service vulnerabilities or attempting to remove data from databases and these will be included in the scoping document that will be signed off by both parties.
"Pen testing organisations will typically use penetration test systems that do not belong to their customers (requesting the penetration test), but they are using infrastructure belonging to a third party," Kyriacou explains. "In this situation, the enterprise must gain authorisation from the third party for the penetration test to occur and the penetration testing organisation should ensure that this agreement is in place prior to the penetration test."
In conclusion, or inconclusive?
We will leave the last word to Marcus J Ranum, CSO at Tenable Network Security, who warns that pen testing is actually more accurately a penetration demonstration and nothing else.
"This may seem like a theoretical quibble, but it's not," Ranum told IT Pro. "Penetration testing is not a test in a useful sense. When one uses the term test one is falling under the rubric of scientific or testing methodologies - and the single most important question a scientist or researcher asks about any test or experiment is What are the possible results?' In a scientific framework, there are certain things science can't prove so you have to sneak up on a hypothesis by eliminating all the other hypotheticals that would refute it. This is an important and subtle point, because it cuts right to the heart of how most of the industry doesn't understand penetration testing - you are not able to prove that a system is secure, you can only prove that it's vulnerable."
To cut to the chase, then, while pen testing is a valuable weapon in your enterprise security strategy armoury, it shouldn't be seen as something that can fire a magic bullet and make security problems go away. Far from it, Ranum argues. "If the theory being tested is 'my network is secure' and you perform a penetration test to find a vulnerability, then the hypothesis is refuted: 'my network is secure' is untrue," he says.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"Unfortunately, you can't prove a negative that way, you cannot conclude that 'because my penetration testers found nothing, therefore my network is secure' - the best you can conclude is that your penetration testers didn't find anything."
Ultimately, a penetration tester can never conclude that your network is secure, only that in this point of time and using the knowledge he or she possesses, no vulnerabilities were discovered.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.