Why Every Site Should Be Penetration Tested

Penetration testing can get a bad rap due to the unprofessional way in which some people approach it (both clients and testers). Done correctly, it can shine the light on security flaws which are only capable of being exploited by the most dedicated hackers with plenty of time on their hands which is many of them.

Done poorly, it is rushed, and only a cursory attempt is really to crack a box. Some companies have no problem with this, as they only conduct pen tests to appease some regulator, rather than truly safeguard their systems, it's as if they really don't want to know if they can be compromised, as then they will have to incur the expense of actually plugging in the holes.

But do you really think hackers work in this lackadaisical fashion, when they know that each compromised network represents real currency, and not just bragging rights? That's a rhetorical question, of course they don't work this way, especially if they are unemployed and living in an Eastern European country will little other opportunity for employment.

Why Penetration Testing?

Pen testing is generally reserved for network and server configurations, and security for these has been dramatically improved thanks to it. This can lead to a certain amount of complacency among administrators who, having applied every single patch known to mankind, feel that their systems are locked up tight.

The point they miss, however, is that attacks are shifting to different vectors, namely web applications and mobile apps. The Bring Your Own Device (BYOD) trend is exploding, and hackers are furiously developing exploits for smartphones and tablets, which are notoriously under-protected and provide a convenient way of accessing corporate systems through these infected clients.

The threat landscape evolves

To catch a crook, you have to think like a crook, and today's crooks are more ambitious due to the extreme amount of money to be made in cybercrime. There are also increasing political motivations to hacking, and it is not too far-fetched to imagine that attacks in the near future will be used to destabilize the entire economy of a target country by shutting down the computer systems of its major corporations or government offices.

Penetration testing should evolve with these threats, and should be performed at regular intervals. They must also be through, incorporating the latest devices and methodologies such as SMS, phishing, data mining on mobile devices, automatic phone calls and texts, mobile pickpocketing, and whatever else hackers can think of. This is why the best pen testers are former black hats they get it.

Mobile device management should be examined by penetration testers. Lack of an MDM program, whether internally developed or provided by a third party, is one glaring hole that needs to be plugged, as many enterprises allow potentially compromised devices to connect to their Wi-Fi networks without much thought.

In conclusion

Skimping on penetration testing to save a few bucks is dangerous folly, and even worse is to hire someone with no real-world hacking experience due to the false sense of security it will instill in administrators. With the large amount of new threats being developed, and the business and legal expenses associated with compromised systems rising, it pays to establish a regular security audit schedule which includes a thorough pen test by a reputable and effective firm.


About the author: John Dayton’s ultimate dream is to travel the world in his homemade sailboat. When he isn’t working on his boat or writing poignant articles, he’s working with top-notch forensic engineering consultants.