Organizations invest heavily into security programs with the latest solutions and infrastructures; however, without testing there is no way to determine their effectiveness in case of an attack. Taking the most recent BBC example, where they had a server hacked by a Russian cybercriminal who attempted to sell the access to the server on the black market. As the FTP server is connected to most other servers on any given network, someone gaining access to it is free to surf the entire network. Such vulnerability of internal information is obviously a huge risk for all and any organizations. This security breach serves beyond proof the crucial requirement of penetration testing.
Penetration testing is nothing but an enactment of a potential hacker to identify the vulnerabilities of an organization security system, both internal and external. Otherwise called Pen testers, look for security loop holes in the business and instead of reporting on them they dig deeper into the system for further potential flaws. And with the increase of cloud based services, compliance has become a rising concern. Here comes penetration testing as a reliable method to test and validate the company’s security best practices.
Evidently, security assessments of an organization heavily rely on the outcome of penetration tests that basically uncovers all the weaknesses hidden in the organizational setup. Therefore, it is of utmost importance to optimize the test scenario and premise. It shouldn’t just be a tick mark compliance activity. Usually, testing is carried out as a response to a security breach, whereas, it should ideal be a preventative measure carried out on a regular basis.
Make the most of the Pen Test
For an effective penetration test, definition of credible attack scenarios is essential in addition to the coverage of industry frameworks such as OWASP, WASC, CERT and SANS.
Documentation of the penetration testing objective and exclusion (if any) of the rules of engagement is mandatory, which indicates the restriction on duration and acceptable working hours particularly if the target application environment is a live production system.
The credible attack scenarios should be based on the threat profile of the target business application platform, which should cover: purpose of the business application, operational criticality of the application, classification of data processed or stored by the application, mode of access to the application and related access control measures to protect the business information and information processing system.
Penetration testing should deliver reproducible results with supporting evidences by following a repeatable methodology that is approved and documented. The tools, scripts and manual techniques must be proven and evaluated prior using them on live production environments. Revalidation of identified security findings from automated tools through manual assessment and alternate scripts or tools is mandatory in order to minimize the reporting of false positives or negatives.
To make the testing most effective, and prevent data loss through malicious attacks or human error, results need to be acted upon. The official penetration report should be published to a restricted distribution list of authorized personnel, post obtaining factual and technical accuracy confirmation from the respective stakeholders.
