jump to navigation

Starting Down the Right Road to Penetration Testing June 9, 2009

Posted by Nikk in Information Security, penetration testing.
Tags: , , , , , ,
add a comment

Penetration testing vs. vulnerability assessments

When I talk about penetration testing one of the first things I like to dispel is the fact that vulnerability assessment and penetration testing is the same thing.  What separates the two you ask?  Usually it’s a stack of paper about 20 inches thick full of false positives from the VA tool (Exactly 5800 PDF pages for 255 machines).  Having used Core Impact for the past 4 years and having been a pen tester for a few more, it’s one of very few tools that steer clear of this problem.  When you have 50,000+ IP addresses only Impact can really give you the speed and surgical precision you need across a large enterprise. 

There is a method to the madness


Penetration testing is really about following a well defined method to ascertain certain information.  Clearly it’s much more interesting than “Oh gee I hacked a system”.  Pentesting is just one tool in an arsenal of many which help you get a bigger and better picture of your current level of security. 

There is a lot to be said for making the business case for pentesting as well.  The deliverables and benefits planned, the depth of penetration, follow up and showing the ROSI just to name a few.  Legal and HR issues abound, it can be a minefield.  From an internal perspective partnering with numerous departments within your organization is clearly the smartest path.  It is extremely important to have this defined before you start your testing if you’re going to be touching any user data or crossing international boundaries. 


Secret Squirrel it’s not.

It’s also important to realize that the majority of the time your pentesting activities are NOT going to be done in secret.  It can’t be stressed enough how important it is to let people know you are going to actually conduct testing.  What?  Tell people?  How is this possible?  Well from a technical perspective imagine you’re conducting a pen test and you cause a glitch in one of the local servers.  While you hope this doesn’t happen, letting IT operations know your pentesting plan can save hours of troubleshooting on their part.  It’s just common sense.  Along with that is notification to the IDS/IPS Admins and firewall teams.  When pentesting, all types of bells and whistles can go off if even the most basic security protections are in place.


Penetration testing is an important part of an organizations overall IT Security and Risk Management portfolio.  Done correctly it can be extremely valuable.


For more information on Core Impact:  Core Security