Thursday, July 2, 2015

Penetration Test or Security Review

The most common question I am asked is how much does an Intrusion Test cost (penetration test).

There is only one intelligent response to that question, "that depends".

Ethical firms and individuals will ask questions, do some preliminary testing perhaps and list the most reasonable actions to take at the clients current maturity level.  This equates to doing a good job.  So essentially, the workload or "price" is for doing a good job.

Firms in it for the "business" will quote whatever gets them to win the deal.

I was asked this morning if I could do a job we quoted for six thousand less, my response was "of course, some things simply won't be addressed".

"Intrusion Testing is like walking buckets of water up a flight of stairs."

If you have someone who is built strong (competent) then there is so many buckets an hour to be carried, end of story.

With intrusion testing, you have no idea how much water is available to carry up the stairs, and your end goal is never to carry ALL the water up the stairs, just carry more water then what the bad guys might have carried.  Perfect security is unattainable, and cost prohibitive.  Reasonable security is simply just that... reasonable.

Security testing exists at many different phases of maturity:

1) Pre-production tests
2) Production tests - First tests ever done
3) Recurring tests that progressively go deeper and deeper
4) Targeted scenario tests - Specific product

The idea is generally to ensure that nothing embarrassing is left unresolved and that everything reasonable has been looked at.

What is unreasonable?   If you invest 5 days in security testing, your clearly stating that no one will invest more then 5 days to breach you.  

What about disgruntled employees, they have a head start, sort of like they have already invested 30 days and only need to add a day or two to cause real damage.  Same goes fora new virus that targets something very specific.

When a respectable firm quotes a security test, these same firms can always do less, they are just telling you what would be reasonable, what would be a test that everyone involved would be proud of, would respect, and would defend.

When dealing with a respectable firm, you get what you pay for, so if you decide to tell your CardioVascular Surgeon to only run half the tests, you shouldn't be surprised if something is found to be less then optimal in the future.  And all involved should also realize EXACTLY what was asked, what it means to only do part of the tasks.

One thing is certain, most companies are not truly doing security testing.  They test some things and leave out other areas that should have been looked at.

Every crisis post-mortem I did in 2014 rested on very embarrassing things that should have been known and resolved long ago.  Thinking your enterprise is different is not only dangerous, it is irresponsible.

That is why I prefer to call these tests a SECURITY REVIEW.  This way, I can provide very valuable information about the maturity of the ecosystem as a whole, since this is where the next breach will come from.

Knowing your maturity across all the areas that can impact the enterprises security, that is reasonable.  That is respectable.  That is an invaluable management tool.

The other major risk involved with low quality intrusion tests, is that a report then exists that says that intrusion testing has been done, and whatever was found was resolved, therefor the enterprise is secure.  Experts will laugh at thinking that the enterprise is secure because an intrusion test was done, managers and most importantly senior executives are not experts, they trust what they see, what is being reported to them.

That is where so called security experts that do a "piss poor job" are acting irresponsibly and causing great harm to the security industry and their own clients.  Letting senior managers think things are a certain way, when in fact they don't know shouldn't be a common practice, yet it is.
Word of the day:  Value

You get what you pay for, and if your giving your money to low competency individuals and forms, what value are you getting ?

No comments:

Post a Comment

----- ENGLISH FOLLOWS Un cas intéressant d'exposition de données à l'UDA. Le site web comprenait une seule ligne de texte qui pouvai...