By: Jennia Hizver, Consulting Practice Security Researcher and Consultant, AT&T
INTRO: Penetration tests are valuable for several reasons:
- Determining feasibility of a particular set of attack vectors
- Identifying higher-risk vulnerabilities resultinfg from combo of lower-risk vulnerabilities exploited in particular sequence
- Identifying vulnerabilities difficult or impossible to detect with automated network or application vul scanning software
- Assessing magnitude of business and operational impacts of successful attacks
- Testing ability of network defenders to successfully detect and respond to attacks
- Providing evidence to support increased investments in security
Over the years of my career as a penetration tester,
I have encountered many myths and misconceptions regarding penetration testing, some of which I’d like to share with you:
Myth #1: Vulnerability scanning can identify all vulnerabilities in an organization’s environment, and hence, penetration tests are unnecessary.
Myth #2: Professional penetration testers use expensive commercial tools.
Myth #3: One system compromise has no effect on other systems.
Myth #4: Penetration testing focuses on production networks containing sensitive data.
Myth #5: Penetration testers use the same approach and are likely to uncover the same issues.
- Penetration testing helps companies identify weaknesses in their IT environment.
- In spite of many myths, penetration testing provides valuable insight.