Like a medical examination, the result of IT Penetration Testing to assess your organisation’s IT security is technically only valid at the moment it is performed.
Independently of how thorough such ‘pen tests’ are, the context in which they are performed changes on a frequent basis. IT hardware and software vendors release new versions and patches of firmware, operating systems and applications.
Hackers invent new attack vectors. Employees come and go, and business partners and suppliers, with whom you collaborate and share information, change too.
If the business and IT environment fluctuates so much, why then is it still important to do penetration testing?
There are already two reasons why good pen testing, notwithstanding its highly specific nature, should be conducted.
- It can expose important security weaknesses or holes that escaped not only the observation, but also the thinking of in the in-house IT or security staff.
- It reinforces a ‘security state of mind’, even if the results themselves are of time-limited relevance. To paraphrase Eisenhower’s maxim about planning, “the test (isolated event) is nothing, but the testing (ongoing awareness and thought process) is everything”.
For these benefits to hold good, there are also a number of prerequisites for the penetration testing. In the first place, it should be separate from and add value to the standard vulnerability testing that can be done in-house.
Vulnerability testing is lower level, automatable testing that can be run on a routine basis to weed out viruses, Trojans, outdated software versions, and so on.
Secondly, it should be done without ‘blind spots’. This often means pen tests should be executed by external consultants that make no unwarranted assumptions about the state of an organisation’s security.
Thirdly, results of IT Penetration Testing must be acted on by the organisation. It’s no good knowing about a hole and yet leaving it open. Finally, a pen test should be done on a regular basis.
All in all, it’s just like those medical examinations, and for the health of your enterprise, perhaps just as important too.