iv. Why most penetration tests fail

This page is part of the risk services which belongs to the Governance, compliance and risk assessment section of our services that includes: risk assessment, internal controls, risk management, the risk checklist and why penetration testing fails (you are here).

Penetration testing and other types of IT security assessments are a growing industry. In a world made increasingly unsafe by identity theft, online rip-offs and other cybercrimes, IT security pros are under pressure to fortify systems and networks and protect information assets.

A growing number of regulations require public- and private-sector CIOs to harden their systems and networks against external and internal threats.

There are different scopes of penetration testing, of course. To illustrate, one may test to:

– see what can be compromised in the DMZ (de-militarized zone),
– see if a network breach is possible (working in to the Intranet)
– if we cannot only penetrate the network but, most importantly, compromise the database server as well.

The above might be a good way to find out where our weaknesses lie when it comes to not having patched and distributed updates to software and firmware. But it fails to tells us anything about:

– zero-day exploits (because testing signatures needed to have the software test for a new exploit are released after a time delay, of course),
– how authorized software and applications are being used on the network,
– what unauthorized applications, devices, etc. may do on our network

because penetration testing is a cross-sectional assessment of our defenses (one picture in one time slot).

Unfortunately, there are many problems with penetration testing and sometimes it is not even according to the saying ‘You get what you paid for.’

The paper below (English or German version) outlines these pitfalls and provides a way to get what you pay for.

– Gattiker, Urs. E. and Wagner, Andreas (May 23, 2007), CyTRAP Labs– sense and nonsense regarding intrusion detection testing
– Wagner, Andreas und Gattiker, Urs E. (May 23, 2007), CyTRAP Labs– Sinn und Unsinn mit Penetration Tests

You you prefer read this material online in English or in German

Article souce: CyTRAP Labs and ComMetrics: Why penetration testing fails