Let’s be honest, no business actually wants the hassle and cost of regularly testing that their network security controls are up to the task of protecting their corporate assets. Without the threat of serious financial penalties hanging over them penetration tests would probably be way down the list of priorities for most organisations. So, it is understandable that when it comes around to that time of year again there can be a temptation to look for a quick fix to get the tick in the box that says they are OK for another 12 months. Or possibly even worse, simply believe that because your network is in the Cloud or looked after by an MSP they don’t need to worry.
The problem with that approach is that this can easily turn out to be a false economy. In the world of network security, there is no such thing as a quick fix when it comes to assessing all aspects of a multi-faceted network infrastructure, particularly when clients often don’t know what is on their network to start with. If you also factor-in other common discrepancies such as the lack of a regulated BYOD policy and outdated software that we frequently come across, the scale of the task for the pen-tester can expand exponentially, along with the cost of the project.
Unfortunately, in that type of environment it is easy for the less scrutable tester to find one or two exploitable vulnerabilities to put into their report, which may go some way towards convincing the client that they have done their job but ultimately has minimal value for the long-term security of the network.Yes, the company may be lucky and avoid any serious breach but is that worth the risk of a major fine or operational disruption to the business, that could be even more costly in terms of the lost production, if a black hat decides to exploit the missed vulnerabilities?
In the end, a penetration test doesn’t need to be a major exercise involving additional costly man-days of specialist consultancy. Providing that the client has done the basics right in the first place starting with knowing exactly what is on their network by maintaining an up to date asset register. There are plenty of tools out there that can do the heavy lifting on this. It also means regularly scanning for known vulnerabilities between the full-blown pen-tests, this can also be fully automated or remotely managed if in-house resources are stretched. Vulnerability scans are a good way of identifying and remediating potential weak spots as part of a routine, triaged maintenance programme and should really be part of any security best practice policy.
If clients implement these basic procedures of scoping, scanning and remediating vulnerabilities it means that they need not look to cut corners when it comes to the pen-test proper and be confident that their networks are operating in alignment with the highest security standards without incurring excessive consultancy costs – a win-win situation.