Use Cases for Penetration Testing
Every organization should be self-evaluating their security with some type of assessment. The only true way to test the preparation and responsiveness of a program is by subjecting it to an adversary. What kind of assessment is right for your organization and how frequently should they occur?
Here are some questions to ask when considering penetration testing or some type of security assessment:
1 What types of security assessments should you be doing?
The specific assessments that yield the best insight for a given organization are going to depend on its goals. This is a conversation that must happen at the outset of testing. Like a science experiment, there should be expectations set ahead of time regarding what is being tested and what results are expected.
- Penetration Test: This is the most appropriate type of assessment for many organizations. Depending on the industry, Pen Tests are sometimes required to satisfy regulatory compliance.
- Red Team: This style of assessment is appropriate for more mature groups that have already engaged in pen testing and have a well-defined Blue Team.
- Purple Team: This style of assessment is more collaborative during the testing and is meant to educate the Blue Team, often in real time.
- Software/code auditing: If the customer develops software, it should be subjecting its products to penetration testing at least once per year. This will ensure that there are no foundational security issues and will establish a goal of secure development if there’s a scheduled test.
- Transitioning to Cloud: An architecture/configuration assessment should be made during this process to make sure no security issues are being introduced as part of the transition.
- Social Engineering: The main goal of tests that involve social engineering are to educate personnel. Humans are often the weakest link in a security program.
2 How often should an assessment be performed?
It’s akin to visiting the doctor – at least once per year just to keep up with the constantly changing threat landscape and to take the pulse of the general security maturity process.
An assessment should also be performed after any kind of major change like redesign of infrastructure, new products, or transition of services to the cloud. This helps identify any new security gaps and ensure safety.
An assessment should also be made during development and/or prior to releasing a new product such as an IoT device, web application, mobile application, etc.
3 What questions should you ask a pen tester?
Like any IT or security services engagement, some questions should be asked prior to granting permission to assess your systems. For all intents and purposes, an assessment is an attack under controlled conditions. Questions to ask:
- What past experience do you have?
- Do you have experience with companies of this size and nature?
- How will our data be kept safe?
- What post-assessment actions will be taken to return systems to pre-assessment state?
4 Do pen testers always find something?
Yes. Always. This is why it’s important that the scope of the assessment is designed to meet the specific goals. Some findings may be minor or already known.
In the odd chance a tester doesn’t find anything of consequence, they should provide a report that includes what has been tested, which policies proved successful, which configurations, etc.