Though I believe penetration assessments to be important in assessing an organization’s overall security posture, I think they are 1) being performed poorly and 2) the results from them are being disseminated in a wrong way. The goal of any security assessment is to help an organization become MORE secure than they were before the assessment was performed thus reducing their overall risk. Many penetration assessments are performed by identifying vulnerabilities and breaking into as many systems as possible by exploiting these vulnerabilities. The report is then issued which has the list of these vulnerabilities, a perceived risk rating, and finally recommendations on how to remediate the vulnerabilities. What many pentesters lose sight of is the objective for performing the penetration assessment to begin with: to help the client become MORE secure. This type of penetration assessment provides absolutely no value to the client and certainly does not make them any more secure.
Many pentesters don’t see an unencrypted service enabled on a firewall which protects an organization’s PCI zone and wonder “why” this service is allowed but rather how I can use this service to break into this system. The recommendation for such vulnerability would be to use a more secure service; however, what is lost is “why” the vulnerability occurred in the first place and the impact to the business if such vulnerability was exploited especially with regard to the environment in which it was discovered. A penetration assessment needs to be just as much interview based (if not more) as it does technical. Without understanding the underlying reasons as to why such vulnerabilities occurred in the first place, it is impossible to provide any other recommendations other than tactical to the client. The client will then tactically remediate the vulnerability maybe by updating a system with a specific patch or shutting down a specific service and then a year later vulnerabilities of a similar nature will resurface. Why? Because the underlying reasons as to why such vulnerabilities occurred in the first place are unknown. Is it a patch management problem? Is it a change management problem? Are there no policies and procedures or minimum security baselines preventing such vulnerabilities? Is it a management problem? Is it a line-of-business problem? Is it a combination of the above? The list goes on and on, but without trying to understand the “why” it is impossible to truly help the client. It is no longer acceptable to report that the entire compromise of an organization’s Windows domain was obtained without at least attempting to
understand “why” it was possible and how to protect against future occurrences.
Today’s market has become so diluted with companies and individuals claiming they can perform penetration assessments (if you don’t believe me attend Defcon one year). Organizations need to have a better understanding as to how these hired service providers are actually performing these assessments. If a company performs security assessments with little or no interaction with their client, be very skeptical of using this company. As the old cliche goes, you get what you pay for. Bottom line is, penetration testing is no longer for the geeky technical guy who only cares about breaking into systems or for someone who knows how to run a vulnerability scanner. It’s for professionals who truly understand security and are interested in really helping an organization reduce their overall risk.