Scoping A REAL Penetration Test

It’s difficult to look at the world of corporate information security compliance, and not question if it’s done more harm than good. We live in a world where large-scale information security breaches are an almost weekly occurrence, but many of these organisations were “ticking the box” from the point of corporate compliance already. And here in lies the problem: Compliance is the bare legal minimum requirement, it is not the goal. Sadly, in this world of increasing corporate competition, ever-leaner margins and shareholder pressure, that’s often where security efforts cease. Compliance alone is seen as enough.

As a result, organisations are replacing comprehensive penetration testing with simple automated scanning, because that’s all the standards have historically called for. They are deliberately scoping out known vulnerable systems because the standards allow cross sampling, and, sadly, some assessment firms are trading on their “flexibility” when it comes to scoping. We are effectively, walking backwards at a time when attacks on organisations are gaining in sophistication and effectiveness.

By its very nature, an organisation’s Information Security Management System and associated efforts must be able to deal with the unforeseen. So when it comes to real-world testing, why do we narrow the scope past the point of realistic? Is a real attacker going to play by “the rules”? Will they only test you between X and Y hours? And will they politely skirt around your most vulnerable systems?

So let’s look past mere compliance, and into real-world assessment. Let’s not forget to factor in our greatest risk – people – and let’s stop treating security assessments as a pass/fail, that’s compliance.

Next time you’re scoping a penetration test or other vulnerability assessment, concentrate on making your penetration testing a real-word attack simulation:

1. Justify every scope exclusion, and ask yourself if the reasons are satisfactory. “It’s old”, “It falls over a lot”, “It was shown as vulnerable in our last test” are not generally reasons that a shareholder or customer would be happy with. One thing penetration testing can help an organisation do is measure your rectification progress, scoping out known issues isn’t really progressive.

2. Consider your timeline. Penetration tests are often performed over such a narrow window that off-keyboard research is prevented. What if you contracted the same number of days, but over a longer timeframe? It would make detection far more realistic, help ensure that the most equipped personnel conducted each aspect of the test, and could well save you money.

3. Never, ever exclude humans. The number of penetration tests that exclude social engineering is far too high. In almost all cases, social engineering will provide a valuable foothold into the organisation.

4. Don’t forget your satellite offices, your third party suppliers with VPN connections, your dial-in service providers (who never, ever, tell you when a password has been updated due to a staff change at their end), or simply walking through reception with a cloned RFID card.

A true security assessment should move you outside of your comfort zone. If you are covering the same old ground as last time - with a few handy exclusions for that W2K box that still runs in the corner of a dusty broom cupboard – you’re wasting your time and valuable budget.