Do You Need A Penetration Test?
By Matthew Brooker – Senior Technical Consultant
Before answering the question above, it’s probably best to clarify the definition of a penetration test, or pen test, as its more commonly known. Although it’s a term used frequently in both the cyber security and IT sector, it can also be bounded around without many knowing the true purpose, context or aim, resulting in some confusion and questions such as “do I need a pen test?” arising.
In terms of a definition, the NCSC defines a penetration test as “a method for gaining assurance in the security of an IT system, by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might”[i]. Typically, a pen test is used to identify the level of technical risk posed from software and hardware vulnerabilities. Being able to identify these vulnerabilities before a threat actor takes advantage, plus being issued with a report detailing the remediation recommendations means your organization can stay one step ahead of cyber criminals.
With the above in mind, you may be thinking a pen test is the best bet at keeping your organisation safe, but its usefulness can depend on your business requirements. CYSIAM have occasionally come across organisations who declare with certainty that they “must get a pen test asap” but this opinion has been formed based on bad advice or misunderstanding of a pen test’s purpose.
With the aim of helping determine whether there is a business need for a pen test, you’ll first need to ask yourself a few questions;
1.Do you understand your attack surface?
Without knowing the organisations attack surface (whether this be internal or external), it is impossible to know what controls you have in place to protect it. Analysing your attack surface will enable you to;
- identify what functions and what parts of the system you need to review/test for security vulnerabilities.
- identify high risk assets and information.
- identify where the systems are located, who controls them, who has access to them and why.
2. Have there been any major changes that might affect security?
If any major changes have been implemented recently, it is good practice to conduct some sort of assurance activity to ensure the desired change is working as expected, but also to confirm that the change hasn’t created any new risk to the organisation.
3. Is it required as part of recovery from a security incident?
Post incident, it is wise to conduct an assessment once all remediation efforts have been completed. This will enable the organisation to confirm the remediation steps have worked as planned, moreover, understand if there are any other immediate threats to their landscape.
4. Is there a specific reason for wanting a penetration test?
It may be required as part of a contractual agreement, or to show compliance with an industry standard (PCI DSS, CBEST etc).
If your answers to questions 1 through to 4 are ‘no’, then it’s likely that you do not need a pen test – at least not right now. It’s much more likely that you need to conduct a baseline assessment of your people, processes, and technology first[ii]. A pen test conducted without good understanding of your networks could result in it being ineffective and therefore a report that has an adverse instead of positive effect on the organisation.
That doesn’t mean that you should rule out testing altogether. You could consider a network vulnerability scan, vulnerability assessment or a phishing assessment which are essential tools in understanding which systems need patching, updating, or reconfiguring to make them more secure.
In summary, the throw-away comment from a organisation of “oh, I need a pen test” may occasionally be spot on, but there are questions that need to be answered before reaching this decision. An organisation can save time and money by waiting for the right time to conduct a pen test and instead invest resources into smaller steps.