Automated testing has its place in detecting IT security weaknesses but it cannot replace manual testing.
The most effective means to protect data is a combination of manual testing and automated scans.
The rising use of ethical hackers and penetration testers by high-profile companies such as Facebook and Microsoft underscores the importance of manual testing to accurately diagnose vulnerabilities.
“Without human interaction, false positives and missing information is more likely,” says Brian Brock, chief security officer and ethical hacker at Nivsys Inc., a London, Ontario-based provider of master managed security services.
Brock adds: “Human interaction brings some intelligence to the process, including the ability to follow a ’gut-feel’ when something is noticed. A good manual tester should always bring a better understanding of the problems, and when the tester employs automated testing suites, they tend to get the best results.
Jerry Irvine, a member of the National Cyber Security Task Force and chief information officer at Prescient Solutions, a Chicago-based IT outsourcer for SMBs and global and government entities, says that this dual approach provides a more comprehensive look at an organization’s IT security.
“Through manual and automated tests, a complete test scope can be defined and performed,” Irvine says. “Additionally, automated tests can be scheduled and run periodically involving fewer resources.”
Project scope and the blame game
The penetration testing process is similar among organizations, but costs vary according to company and network size — ranging from $1,500 to $10,000 per day for larger companies.
“Large enterprises generally have a greater number of assets to be tested,” says Stephen Jensen, principal security consultant at Veracode Inc., a Burlington, Mass.-based global provider of security products to the retail trade.
Firms reluctant to invest in such testing should compare this expense to the potential cost of a successful breach, say experts. A study by the Ponemon Institute, a Traverse City, Mich.-based research group, found that the lowest average cost per breach worldwide is in India, at an average of $1.1 million per breach and that the largest is in the United States at $5.4 million per breach.
Many IT professionals are often surprised at IT security test results. “I can’t count the number of times when an IT person has told me that I’m wasting my time there are no vulnerabilities in my network, and then I come up with many ways to penetrate, giving user ID and password lists back to them,” says Brock.
Clients are often surprised when seemingly unimportant areas are used to penetrate critical systems.
“Amazingly, even a decade’s old vulnerability like SQL injection still surprises most clients,” adds Jensen. “I think most of the surprises come from the exploitation of seemingly innocuous functionality that results in a devastating vulnerability.”
Operating systems and application patch management is essential.
“The most common vulnerabilities defined within systems are results of unpatched applications and operating systems,” says Irvine of Prescient Solutions. “Clients fail to implement automated patch management processes, which eventually result in systems falling out of compliance and experiencing significant vulnerabilities.”
However, other departments can use the information gained from test results to assign blame to IT professionals. Management needs to understand the true aim of penetration testing and not use vulnerability lists as a tool to blame IT for security holes, says Nivsys’ Brock.
“The actual goal of penetration testing is to help the company become more secure, not to start an internal war,” he adds.
Practicality for SMBs, outside vendors
Smaller companies can reduce penetration testing costs by performing vulnerability scans and patching as many exploits as possible before retaining a third-party penetration tester.
“The best thing that I can suggest to limit the costs would be to have a vulnerability scan done, and repair anything that you can before the actual pen test is completed,” says Brock. “The fewer vulnerabilities that are available, the less time the testing takes, and for the following reasons: When you find a way to breach, we need to spend time documenting the breach, how we got in, what we found, information collected, information available, et cetera.”
Should a company engage an outside firm to conduct its tests? Some firms may worry about outsiders accessing sensitive data but professional consultants can alleviate these concerns by providing nondisclosure agreements (NDAs) and outlining the project in detail.
“Systems and data access must be protected from illegal or unauthorized access,” says Prescient Solutions’ Irvine. “Organizations performing security assessments must be limited and controlled via specific, written scope of work, systems and tools being used, procedures of engagement, as well as contractual non-disclosures and service level agreements.”
Veracode’s Jensen agrees. “Since I’m an employee, my employer handles NDAs. I am bound by a certain code of ethics in the job I do. I do not publicly divulge vulnerabilities I’ve identified during client tests, nor do I publicly divulge any sensitive information associated with a client.”