1 Executive Summary
When done well, the results from a penetration test should provide evidence that your security investments to date were well spent and help guide your future spending.
The best penetration tests are those that augment a security regime where the testing basics are already in place and part of everyday life. Why pay for a penetration test that conducts a one-off manual vulnerability assessment, when for probably less money you can implement continuous automated vulnerability assessment?
The key to any penetration test is to scope the test properly and ensure that senior management recognise the risks that are being tested and concur with their prioritisation for testing.
In its implementation and execution, a penetration test should be treated no differently from any other major corporate implementation project. It needs careful planning, resourcing with an internal project team (even if the team doing the testing are externally sourced) and have senior sponsorship if it is to be successful.
If done badly, a penetration test will incur significant cost and time, scare your senior management team and fail to address any of the strategic changes needed within your business.
The best penetration tests use a threat assessment to identify “targets” or “flags to capture”, give the penetration testers access to the output from their automated vulnerability scanning system, as well as physical access to their network, and then pay a bonus for every flag they capture, web-site they actually modify, or senior executive they manage to socially engineer; because only this type of penetration test will help identify both the “known-unknowns” and “unknown-unknowns”.
Finally, before you start any penetration test you need to understand what you will do with the results – all penetration tests will expose a level of failing – such is the nature of modern IT systems. If you can pat yourself on the back and report to management “they did not manage to get in” then you either designed the penetration test wrong or hired the wrong company to perform the test.