Todays Post (for serious hackers and Security ): Penetration Testing; Pros and Cons
Penetration testing, or pen testing, requires "out of the box" thinking and a dogged persistence towards solving problems. As corporate IT admins usually do not exhibit the "black hat mentality with white hat ethics" required by a good pen tester, they can often fall short in securing their systems and tend to rest on their laurels a bit, instead of staying ahead of the curve when it comes to security matters. Pen testing is therefore a way for businesses to expose security vulnerabilities in a proactive manner, rather than reacting to intrusions and patching holes after the fact.
Penetration Testing; Pros and Cons
Here are some of the pros and cons of penetration testing. Pros: Can shed light on security exploits you never knew existed or were even possible: SMS attacks on mobile devices, for example. Once a mobile device is compromised, that device can spread malware if it connects to an enterprise Wi-Fi network. Who knew a smartphone could be so dangerous?
Will increase your peace of mind and that of stakeholders. By letting others know that your security is regularly tested, and releasing results and any progress in plugging in holes, you position yourself as a serious about protecting sensitive customer and business information.
May serve useful in defending against a lawsuit or government inquiry should a hacking occur, to demonstrate you did everything in good faith to defend against attacks. If your firm is ever subpoenaed or accused of negligence, having records demonstrating your security testing will prove invaluable.
Will save money, compared with the loss of revenue and possible lawsuits in the case of a security breach
Cons:
Largely dependent on the expertise and diligence of the pen tester. If they are so-so hackers, they will deliver a so-so penetration test, and you will not be getting your money's worth.
Anyone can call themselves a pen tester, so you must check credentials. The industry is not regulated (do we really need more regulations, anyway?), so it is up to each business to determine whether a pen tester's skills will be up to snuff.
Results reporting might be lacking or indecipherable. Hackers are not necessarily excellent communicators, so their final report might be overly technical. The best reports translate technical terms into lay English and also prescribe solutions for fixing any problems found.
If the pen tester is dishonest, the penetration test they conduct can allow them to steal sensitive data or even leave a backdoor entrance for them to come back and do damage or sell access to the highest bidder.
So how do you find a competent pen tester? The most secure way is probably to contract with a firm that specializes in this branch of computing and that hat has both a long track record of in the business and testimonials from satisfied clients. Advertising for penetration testers on Craigslist or hacker bulletin boards is probably not a smart approach, as you might be opening up your firm to unscrupulous people.
Penetration testing, or pen testing, requires "out of the box" thinking and a dogged persistence towards solving problems. As corporate IT admins usually do not exhibit the "black hat mentality with white hat ethics" required by a good pen tester, they can often fall short in securing their systems and tend to rest on their laurels a bit, instead of staying ahead of the curve when it comes to security matters. Pen testing is therefore a way for businesses to expose security vulnerabilities in a proactive manner, rather than reacting to intrusions and patching holes after the fact.
Penetration Testing; Pros and Cons
Here are some of the pros and cons of penetration testing. Pros: Can shed light on security exploits you never knew existed or were even possible: SMS attacks on mobile devices, for example. Once a mobile device is compromised, that device can spread malware if it connects to an enterprise Wi-Fi network. Who knew a smartphone could be so dangerous?
Will increase your peace of mind and that of stakeholders. By letting others know that your security is regularly tested, and releasing results and any progress in plugging in holes, you position yourself as a serious about protecting sensitive customer and business information.
May serve useful in defending against a lawsuit or government inquiry should a hacking occur, to demonstrate you did everything in good faith to defend against attacks. If your firm is ever subpoenaed or accused of negligence, having records demonstrating your security testing will prove invaluable.
Will save money, compared with the loss of revenue and possible lawsuits in the case of a security breach
Cons:
Largely dependent on the expertise and diligence of the pen tester. If they are so-so hackers, they will deliver a so-so penetration test, and you will not be getting your money's worth.
Anyone can call themselves a pen tester, so you must check credentials. The industry is not regulated (do we really need more regulations, anyway?), so it is up to each business to determine whether a pen tester's skills will be up to snuff.
Results reporting might be lacking or indecipherable. Hackers are not necessarily excellent communicators, so their final report might be overly technical. The best reports translate technical terms into lay English and also prescribe solutions for fixing any problems found.
If the pen tester is dishonest, the penetration test they conduct can allow them to steal sensitive data or even leave a backdoor entrance for them to come back and do damage or sell access to the highest bidder.
So how do you find a competent pen tester? The most secure way is probably to contract with a firm that specializes in this branch of computing and that hat has both a long track record of in the business and testimonials from satisfied clients. Advertising for penetration testers on Craigslist or hacker bulletin boards is probably not a smart approach, as you might be opening up your firm to unscrupulous people.
0 comments:
Post a Comment