Holistic penetration testing – when 1 + 1 does not always equal 2

imagensecforcepost.png

Motivated attackers don’t know about “rules of engagement”, narrow scopes of work, “not bruteforing allowed”, etc. Attackers would follow any available path to accomplish their goal, whatever that is. It is not unrealistic to think that a highly motivated attacker would go to great lengths to perform an attack, such as for example compromising a slightly weaker “Application A” to gain access to the DMZ and in turn compromise the real objective “Application B”. Or to test the corporate wireless network in order to gain network access to the internal network…

Although this may seem an obvious statement, many cutting edge companies forget who they are protecting against and what their real outcome for their testing programs should be.

Nowadays the most common penetration testing requirement is application or system focused with a defined scope to which penetration testing consultancies need to adhere. This is a natural approach, as dynamic companies very often develop new applications and systems which require security testing before being deployed in production. However, we see a trend among our customers where they complement their normal testing strategy with an annual holistic penetration testing.

A holistic approach would include penetration testing of the infrastructure, physical penetration testing of premises, wireless testing, social engineering attacks and any other angle which is deemed relevant for the specific customer.

Results, of course, differ, but they are always very interesting. The most recurrent discovery is the realisation of the lack of security awareness of the staff, who would handle confidential information such as their username and password when presented with a credible and well delivered phishing attack.

The fact that people are the weakest link is very often proven right and inevitably prompts the question whether the investment in defensive security should be somehow split and more resources should be invested in security awareness programs.

You may also be interested in...

imagensecforcepost.png
Nov. 3, 2008

Black box penetration testing vs white box penetration testing

Differences between black box and white box penetration tests

See more
imagensecforcepost.png
Oct. 2, 2018

BSides Belfast

Over the last year however I have been very fortunate to have the opportunity to go to some of the smaller, but by no means less valuable, conferences around Europe and they have been awesome. They have all been well organised, with a great atmosphere and some incredible talks.

See more