Penetration Testing - Why Inexpensive Means Incomplete
Every day, audit committee members and IT directors wrestle with the question: Why shouldn’t I just go with the cheapest penetration testing rather than a more comprehensive external network security assessment?
Selecting a vendor to provide network security testing is difficult because the vocabulary to describe the services delivered is not consistent. There are no widely accepted standards for what is sufficient for regulatory purposes and what is sufficient for security purposes.
The scope required greatly impacts which network security vulnerabilities are detected. Using home security as an analogy, a automated vulnerability test or scan attempts to identify all potential points of entry such as doors, windows, chimney, walls, and skylights and notes the potential vulnerability represented by each. The report enumerates likely weak points based on nominal information. For example: “A door without a deadbolt lock is susceptible to being pried open.”
Penetration testingreviews the vulnerability test/scan, selects the most likely weak points, and works like the dickens to get into the house. For some providers, once one potential weak point proves effective the test is complete. Entry gained. No reason to try to get in another way.
In contrast, a comprehensive external network security assessment builds on a vulnerability scan and takes penetration testing directions. First, it validates which of these vulnerabilities present real risk of entry. Perhaps there is no deadbolt, but the door construction and frame design eliminates the possibility of entry through prying.
Additionally, manual analysis detects problems that an automated test cannot see. In our analogy, what might be missed without manual analysis is that your second story windows are open and covered only by flimsy screens, there’s a hidden key under the doormat, although the doors are locked and have dead bolts, there is little evidence the dead-bolts are used, the garage door can be opened with a universal remote and garage door to the house is unlocked, the security system is on, but the audible alarm is disabled or no reporting to the local police. A Vulnerability scan misses these!
When selecting vendors, make sure you specify more than an automated scan and vulnerability testing. Your company deserves a comprehensive security assessment in order to be sure you are receiving a full review of your security and a clear roadmap for spending your limited resources.
