Sunday, July 29, 2007

The importance of penetration testing

Interesting article on penetration testing at Server Watch Okay, so its got a sensational headline but it is a good article raising the importance of pen testing.

Forget "Thursday is the new Friday" and "brown is the new black." When it comes to servers, the really important message is this: "Penetration testing is the new vulnerability scanning."

Joe Pescatore, a security analyst at Gartner, explained. "Previously, companies needed to do vulnerability scanning on their network before attackers did, but since attackers have moved from vulnerability scanning to fairly targeted penetration testing, companies now need to carry out penetration testing before the attackers do," he told ServerWatch.

Pescatore recommends that any company involved with online transactions, which allows inbound connections and potentially exposing customer information, have an outside consultancy perform penetration testing at least once a year. Larger companies should carry out additional tests on their servers more frequently, either through a consultant or with automated penetration testing tools.

Penetration testing tools have really come of age in the past 12 months or so, both commercial products aimed at the corporate market place, and free tools like Metasploit framework 3. It's probably not an exaggeration to say that the power of Metasploit has really moved the goalposts, making it far easier for hackers to carry out their own penetration "tests."

Having said that, there's no doubt that the best way to pen test your network is to employ a good outside consultant. A skilled human is more likely to find a way in than even the best software tool will; an outsider is likely to be more effective because familiarity with your own network can leave you blinkered to possible vulnerabilities. "There is an issue that when internal people test things, because they fall in to a pattern of testing and tend not find paths through less-valuable assets," said Pescatore.