The traditional penetration testing model is not effective any more, as the model is not balanced in terms of cost benefit and in ensuring flaws are fixed.
Speaking at the Enterprise Security and Risk Management conference in London, Rui Shantilal, founder and managing partner of Keep-It-Secure-24, said that penetration testing has changed in the last ten years to match the actions of the attacker, but asked if enough was being delivered.
He said that “frameworks,tools, techniques and methodologies” have changed, but so too have the methodologies of attacker and in the 1990s, to test security you hired a company who gave you the results of the test and give you a report. “Nowadays it is pretty much the same, internet and tools have evolved but the process is the same,” he said.
“Current momentum is challenging for the penetration testing model, as in the 1990s the number of vulnerabilities was so low that it was irrelevent and not important to test every day. When we used to do traditional penetration testing, the hardest piece to know was when to start.”
He said that there are different types of attackers: the script kiddies who do not spend a lot of time on the attack; those who do spent time; and those behind targeted attacks. Between the first two, Shantilal said that they are covered with standard penetration testing, and eventually we may be able to do the testing in the same time frame.
“What about APT though, the attacker can do reverse engineering of traffic and decrypt cookies and understand what is inside organisation and that is not possible in five, ten or 15 mandates, so if you are worried about APT do AP testing,” he said.
He also claimed that if a problem is detected, is the user actually sure it has been mitigated? He said users should expect a “nice report” and they should get a presentation from the lead penetration tester on everything that they found.
“There are the reasons why the traditional penetration testing model is not effective any more, as the model is not balanced in terms of cost benefit. You dont get what you pay for,” he said. “It should look like: testing, reporting, managing and validating where you can manage your priorites and can simulate a flaw so you can check the resiliency of your controls.”
Shantilal also asked how many businesses would take that report and send it unencrypted within the company? He asked if a business knew how to extract the metrics on the process, knew what kind of vulnerabilities were more typical and who needs to be trained to mitigate those issues?
He said: “Penetration testing is a project not a process, but security a process not a one off approach.”