What is “The Pain Pill” ? Every Tuesday I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better.
Do you like the plain or the Red logo format? Email me back!
Free class is Thursday 7:30 – 8:30 Central Time click here.
Recently I have been asked to do more and more penetration tests. A penetration test is a fancy way of saying: hire someone to attack your systems, hopefully before the attacker, hopefully in all the old ways and some new ways, so that you can improve your defenses.
What a pen test does and doesn’t do:
- It doesn’t prove you are secure.
- It doesn’t tell you what controls to install.
- It doesn’t reveal to what degree you are insecure.
- It does prove you are insecure, if a true breach is committed.
- It does tell specifically where your controls failed.
As a tester – I will not tell you that your network is secure. Why? Because the customer sets the scope. If the customer ties my hands behind my back in a test by taking away a vector of attack, then there is no way I can guess the “what if…” A customer is definitely going to tell me I cannot do a denial of service. So right there, I cannot do what attackers do… or could I? (Come to class I will explain how.)
You pay for X number of days, you get those days. If we can take a few roadblocks to testing down, I can spend more time testing and less time fighting with your business process, your controls, and your people (again more in class). You will get a more detailed test.
An attacker can attack anywhere at anytime and in very new ways. Testers must at least keep up, very good testers get out ahead of the attackers. This is not a skill that many have. Thinking of the next way to attack requires practice. Thinking of a new way to attack that will not take down the service, but will still prove the attack is possible requires more skill.
What can we do to make it better for us, for you?
Most important quality in a tester: Testers must be very trusted advisors. Trust above all else.
Most important quality in a testee: Don’t be embarrassed or defensive when the tester cuts through your defenses like a hot knife through butter. We concentrate so hard on what is in front of us, we forget to turn around and look. A tester’s job is to turn around and look in a new way, not spare our feelings.
Policy: (this is different than we normally discuss)
- Policy is general and exceptions are supposed to be rare.
- Write exceptions process for pen testing, a separate policy that supersedes other exceptions.
- Write emergency change control for critical flaws found in testing.
- Testers need highest level approval, seek approval first before engagement.
- Tie internal project management goals for fixes to the end of the report.
Don’t know how to do these activities? Come to our free class! Thursday 7:30 – 8:30 PM Central- Click here