News

Penetration Tests Day One: What goes on in a penetration test?

Patrick Gray

The CIO of the 90s could be forgiven for dismissing the penetration testing industry as a way for reformed hackers to shake-down legitimate enterprise.

Times have changed.

Penetration testing and detailed security audits are now a staple for all but the least responsible enterprises. Many organisations in health, finance and critical infrastructure are even compelled to have their networks tested to comply with government regulations.

TechTarget approached three gun penetration testers: Amit Deskmukh of Security-Assessment.com, Adam Pointon of Assurance.com.au and US-based Brian "Jericho" Martin, a penetration tester with INS Ethical Hacking, founder of Attrition.org and the Open Source Vulnerability Database project's Content Manager. We asked them how penetration testing has changed and what the latest tools, tricks and techniques are being used in the industry.

The following is a Q&A with our three pen testers. Their answers have been edited for space and clarity, but as you'll see, they don't agree on everything.

TT: Are organisations still getting pen tests, and how often?

Amit: We have seen a significant increase in pen testing of recent times. Awareness is growing that these types of tests are important. The Payment Card Industry (PCI) Data Security Standard mandates them so more and more demand will be there. How often? Detailed pen tests should be done at a minimum of once a year and whenever changes are made to the customer's Web or Internet environment. The more critical the systems, the more it should be done. We recommend vulnerability assessments at a minimum monthly but more frequently for critical systems. If you can run them daily on those systems, go for it!

Brian: Yes, enough so that our Ethical Hacking team is consistently booked solid and our consultants have very little down time.

Adam: We see more and more organisations requesting penetration testing services. Most are required to conduct annual, or sometimes bi-annual assessments, as part of independent audit efforts for regulatory compliance. We see more and more getting on-going, high-level automated vulnerability, while still getting deeper penetration tests annually.

Organisations are increasingly understanding the need for penetration testing during the software development life-cycle. Too often systems go live, or have a strict "go live" time-line set, before thorough testing is performed, meaning the systems could be compromised and hardened by attackers even before testing by a third-party team is performed.

In the interests of disclosure it should be mentioned that in the past journalist Patrick Gray has undertaken small amounts of irregular consulting work for Assurance.com.au, most recently in April, 2006.