Why do we Pen Test? - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Why do we Pen Test?

  1. #11
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Why do you pen test? - Once again, for me it is regulatory compliance (SOX, PCI, etc.) plus my boss is very security oriented (CISSM) and wants to make sure our holes are plugged before someone else finds it.

    Why don't you pen test? - n/a

    What is the value? - finding and patching a hole before it can be exploited. We are a multi billion dollar company and all of our business is done over the internet. If I can find and patch a hole that would have cost the company a few million dollars then I have done my job. If I don't find that hole, or we never even looked for it, then the company is hurt financially and their reputation is tarnished.

    Who (what functions) should be doing the testing? - that is really going to depend on the type of business. We do both internal and external testing. The security department is not related to the rest of MIS/IT even though we work closely with them. We also contract out to a couple of different companies that do everything from full "black box" testing, to informed application testing.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  2. #12
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Why do you pen test?

    To maintain our compliance with BSI7799/ISO27000
    We're not certified but we make best endevours to be compliant.


    Why don't you pen test?
    ^

    What is the value?

    It's best practice and we use the results of a pen test to push for better practice in some areas where the guys can be sloppy if they're not checked.
    It's also used to contruct action plans to reduce the organisations overall risk.


    Who (what functions) should be doing the testing?

    Annual pen test is carried out by a trusted 3rd party. The 3rd party should be rotated every couple of years.
    Internally we plan to carry out a vulnerability test on new servers before they go live in the DMZ. This isn't to the same standard as a professional pen test. It would be carried out by me. I don't work for IT and have sufficient independence to do it (but not the training yet).

  3. #13
    Junior Member
    Join Date
    Apr 2006
    Posts
    14
    Originally posted here by thehorse13
    1) Regulatory compliance line item (PCI, HSPD-12 and HIPAA in my case) for risk assessment. The GREATEST risk is the unknown. Unless you pen test, you don't know if there are vulnerabilities. Ask your management chain if they are willing to sign off on an unknown risk. Watch how fast the attitude changes.

    --TH13

    Well said. And that is why.

  4. #14
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Just thought to include this quick for some more information. CSO magazine this month has an interesting article on penetration testing:

    Security-Penetration Testing

    Penetration tests are falling in popularity. Here are the keys to making them valuable again.
    http://www.csoonline.com/read/070106...n-testing.html

    Some more quotes - ok the beginning and ending paragraphs:

    Steve Katz sat at his desk, reading an e-mail that he had hoped never to see. An outsider had access to the systems at his company. Katz, who was CISO at a large
    financial firm, would have to tell his boss. And that could be the start of something ugly.

    The silver lining for Katz was this: The outsider was an ethical hacker Katz had hired to see if the company’s systems could be penetrated. While it wouldn’t be fun to deliver the news—“the guy had become a user of the system. He could’ve probably gotten access to critical applications,” Katz says—at least it was just a penetration test.

    ...
    ..
    .

    So while some CSOs may be grumbling about pen tests, it’s clear that others want them. As a consultant, Pfeil says pen testing occupies most of his time. “Pen tests were a valuable tool in my life as a CSO, and they still are,” he says. CISOs just need to apply these lessons to make sure they’re getting the value they should.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •