Penetration testing has many benefits for a cybersecurity program. This is the reason many standards recommend it, and compliance bodies require it. However, that does not mean there aren’t problems with pen testing.
Penetration testing can be dangerous if not done correctly or by a reputable firm. There are some concerns for the organization’s safety that come into consideration that must be accounted for.
What are the benefits of penetration testing?
Penetration testing has many benefits, including finding vulnerabilities and detecting weaknesses in the environment. It can help improve the cyber protections in place and test its their resiliency. Pen testing is also required as part of many compliance standards or by customers that want to ensure their data is safe.
Penetration testing gives you the ability to look into your organization’s security from the perspective of an attacker.
This will help to reveal vulnerabilities that are not obvious from the defender’s view. It also can eliminate biases in security by showing what the environment can really withstand.
What are the possible negative implications of penetration testing?
Pen testing is a very valuable part of any security program, but there are negative implications that must be considered. Be sure to do due diligence on any firm or individual getting access to your environment. In addition, loop in the legal team to review the contract and ensure you are covered for liability.
Some things to consider are:
- Where is the firm located? Do they understand the laws of your state/country?
- Do the testers receive background checks?
- Where are the testers located? Being in the same country can help ensure protection legally.
- What are the testers’ credentials? Do they understand the technology?
- Is there an NDA in place? Almost all pen tests will require or yield sensitive data.
- Is there a plan of action in an emergency, and who are the points of contact?
- Are you prepared to leverage the findings? Knowing about critical vulnerabilities and not fixing them may be considered negligence, so be sure not to test during busy periods.
- Is the internal team ready to handle anything that may arise? An accidental outage can be harmful if not prepared.
- Is the scope adequately considered? Is the testing at the right time? Avoid times like database backups, new development releases, and critical infrastructure that cannot go down during business hours.
Given all of the above, it is essential to consider the negative impacts that may occur when using non-reputable firms or testers, an internal team that isn’t ready, or a poorly scoped project. These may lead to more damage than benefits.
Is penetration testing safe?
Generally, penetration testing is a safe practice when done properly. 99 times out of 100, there are no issues that arise if the scope is appropriately set up and testers are informed of any concerns. Be sure to look for really old infrastructure or critical IoT devices that may not handle modern testing. These should receive a separate test.
Pen testing should avoid Denial of Service (DoS) attacks unless agreed upon in advance, though we recommend that it be an entirely separate test.