Pen test optimisation
There is much that can be done to optimise the impact of a penetration test, from setting the best possible scope through to understanding and effectively acting upon test results to improve the security of the network. Below are two common scenarios that reflect our abilities to support organisations throughout the penetration testing lifecycle.
‘Will this penetration test prove that we are secure?’ Not an unreasonable or uncommon question, but not an easy one to answer. The question should instead be; ‘Does this test scope examine the potential threats to this system, such that the findings of a security test reflect the true security of this system?’. In the run up to a security test, we can help clients understand the potential threats to their system and to extrapolate this out into an assurance programme applicable to the system under review. An assurance programme does not necessarily mean ‘security test everything’; through in-house audits, checks and reviews clients can ensure that they are mitigating a wide range of threats before contemplating the need for security testing.
All too often, clients say ‘we expect most of last year’s issues to be in this year’s report; we’ve not had a chance to fix them’. Given the opportunity to explore this, the common explanation is; ‘too much to do, too little time’.
Questioning the value of conducting further testing in such circumstances, our consultants can help organisations with some quick wins; identifying a handful of servers to focus on, simple changes that can be made via group policy and other steps that provide maximum return on investment. It is also an opportunity to review practice and process in order to reduce the issue count in the first place. The investment of a few days reaps significant reward and ensures that any subsequent test delivers good value.
Benefits of pen test optimisation?
- Ensures that networks and applications are as secure as possible from the ever increasing number of unauthorised internal and external threats.