Answering a CEOs Penetrating Question

It can begin with a friendly lunch conversation with your boss

It can begin with a friendly lunch conversation with your boss. "Hey, did you hear Egghead and Travelocity got hacked?" you begin. "Yeah, with credit card numbers lifted and everything," says the boss. "Dont worry, Boss, our security is solid." "How can you be sure? Have we ever tested it?" Suddenly, youre faced with the delicate task of finding someone to do a coherent penetration test on your enterprise. But where do you begin?

A properly conducted penetration test can yield tremendous benefits. It can reduce the possibility of financial losses and corporate embarrassment by providing tangible evidence of exposures before they are exploited. Such efforts can teach some real-life lessons to in-house IT staff and facilitate continual security improvement while demonstrating due diligence for publicly held or heavily regulated organizations.

But its important to have a sense of the good, the bad and the ugly of penetration testing going in. For one thing, its important that your organization—and your security vendor—approach a penetration test with the correct mind-set. Penetration testing is not intended to be—nor can it be—a full security assessment. Even if you pass unscathed, it is no guarantee of security. And it is not an alternative to other prudent security measures such as conducting continual, companywide assessments and having appropriately trained internal staff.

At the same time, its important to understand that having a penetration test done can never precisely mimic a true hostile attack. Thats because the test will frequently have time limitations that a dedicated and methodical attacker would not face. In addition, there will always be limitations on allowed system targets, with production systems often off-limits—ironically, the very systems that a malicious agent might gun for. Technique limitations will sometimes be invoked—such as no denial-of-service attacks allowed—and the attacks themselves will be more obvious and concentrated, thus not providing a true intrusion-detection testbed.

Penetration tests can be a waste of money and pointless if theyre the only security efforts youre making. They can also bring political trouble to your doorstep—especially if youre responsible for hiring the wrong people to do the testing and the results are turned against your organization.

Next month, well discuss what to look for and expect from a good penetration-testing company.