The ‘why’s and ‘wherefor’s of Penetration Test
Author: admin | Category: Featured, Information Security, Penetration Testing | Leave a Comment
A security-conscious client will ask the following questions before considering Penetration Test (PT) on the system:
1. Why should I perform penetration test?
2. What advantages or benefits will it bring to my organization?
We will try to address these questions. These are all my personal observations and the reader may have better ideas, which are always welcome!
There are plentiful reasons for performing a penetration test. Of course the major one is for finding the vulnerabilities of the system and for fixing them before giving a chance for the intruder to exploit them. It might be worth testing the environment or the system before exposing it them in live mode.
Penetration test mimics activities of real world attackers. By employing techniques that are used by real intruders, we may be able to get a real-life view on possible access points to our systems, and assess their impact.
Penetration testing can find the vulnerabilities and loop holes in the target system. Also it confirms the existence of vulnerabilities. This will help the organization to weigh the potential business impact, if the vulnerabilities are not addressed properly.
Penetration tests assist the organization in prioritizing the resources for improving the security.
Penetration test facilitates organizations to comply with the security standards which are being followed in the industry. It forestalls all chances of potential losses resulting from security breaches.
Penetration test also offers a secure chance for the organization to test new technologies before they are incorporated in the live production stream.
Penetration test helps to enhance the security awareness of system administrators. Often system administrators are not aware of the dangers of improperly configured systems. Some time their negligence in securing system may open the doors for attackers. By showing what intruders can do to gain access to a system, one can assist system administrators in arriving at informed decisions on how to secure their system.
Disadvantages of penetration testing
A badly conducted penetration test can have serious consequences in the network where the test is conducted. It may result in network congestion and system crashing. In a worst scenario, it may leave a bigger mess than we started to clean up. Yes, PT may end up in compromising the system and turn it an easy prey to stalking intruders. It is therefore vital to conduct the test with proper planning and also in a structured manner.
As penetration testers perform illegal activities in the network, their knowledge in defining the scope and selecting the appropriate tools are very important. Because any unlawful activity carried out may break the law of the land, the tester may end up behind the bars. So it is important that the penetration tester should be aware of the law of the country where they propose to conduct the test.
Penetration test should be a continuous process. The tests conducted today may not be valid for tomorrow. It essentially provides a snapshot of the organization’s security at a particular point in time. Any new vulnerability found later in the system, due to the changes or up-gradation of software will have to be addressed at a future date. Hence it is ideal to conduct the test even after the systems are upgraded or patched.
