{"id":366,"date":"2016-10-22T11:01:44","date_gmt":"2016-10-22T11:01:44","guid":{"rendered":"http:\/\/www.inguardians.com\/?p=33"},"modified":"2018-11-30T21:06:23","modified_gmt":"2018-11-30T21:06:23","slug":"penetration-testing-considerations","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/blog\/penetration-testing-considerations\/","title":{"rendered":"Penetration Testing Considerations"},"content":{"rendered":"

Original Post Author: Don C. Weber [Twitter: @cutaway<\/a>]
\nOriginal Date Published: 28 March 2013<\/p>\n

John Sawyer pointed me to a blog post Getting the most out of your pentesting<\/a> by Wendy Nather of 451 Security. I would like to provide a little bit more context in the hopes that it will help CIO’s, managers, administrators, and up-and-coming security professionals.<\/p>\n

I think it is safe to say that no organization has an infinite security budget. In fact, most organizations have a finite security budget that varies according to business requirements and needs. An exception may be large companies that can afford to maintain a consistent and well-funded security team while smaller organizations are forced to make trade-offs. Too often, they require their already overloaded Information Technology (IT) staff to pull double duty without fully considering the risks of trading off security considerations for business needs when deciding when and where to spend critical funds. One of the first areas to get cut is validation of existing security controls through penetration testing.<\/p>\n

Normal security controls, such as automated network and vulnerability scanning, can identify issues and help ensure that resources maintain a specific baseline implementation. However, penetration testing is a critical part to implementing a complete security framework and is intended to look beyond the limited detail provided by those controls. Penetration testing helps identify implementation issues that a human attacker may target to compromise an environment, establish a persistent foothold, and propagate to other resources to steal data. Penetration tests can also be used to validate the configuration of security controls and the organization’s incident response policies and procedures by generating the anomalous activity associated with reconnaissance, propagation, persistence, and (if a client approves and requests) data exfiltration.<\/p>\n

For a comprehensive and effective penetration test, your organization should identify and retain an experienced, clever, and creative penetration testing team. Costs will vary associated with level-of-effort and experience, because companies providing penetration testing services are businesses just like any other. They will have information about the levels-of-effort required for a wide range of testing scenarios and are aware that funds are always limited and precious to their clients. Thus, penetration testing organizations will be willing to negotiate and come to a recommended testing scenario that meets the budget of the client and addresses their own costs for maintaining the appropriate IT staff and tools to accomplish these efforts. The penetration testing company will also help an organization prioritize tests, increasing the potential that the most effective tests are performed first, thereby reducing costs over the long run.<\/p>\n

Of course, no matter which penetration testing team an organization chooses, the testing team will also work within a limited period of engagement. This is contrary to an attackers’ limitless allotment of time. Therefore your organization will want to make the most of the time spent working with a penetration testing team. Here are some recommendations:<\/p>\n