IT Security is a serious business. A Penetration Test can cut through the illusion to tell you something real & true about your efforts says Clem Colman.
There was a time when I did not recommend Penetration Testing for customers. It wasn’t because I didn’t think a Penetration Test would work. Rather, knowing the security profile of average system back then it seemed a bit like you were hiring someone to shoot fish in a barrel.
My concern was that the test team would choose one angle of attack out of the dozens that were available, focus on this, and prove they could compromise the environment. Following from their report this one angle of attack would be the focus of intense corrective action while all the other problems would be overlooked. After all, the Penetration Test “proved” the weakness in a particular part of the system.
It’s also true to say that IT Security was immature as a discipline. Back then, in the late 1990s, the IT Security team were “responsible” for IT Security – it felt a bit like we were one of the fish. Today, IT Security is typically responsible for ensuring the information security management process is followed, but not for deciding what risks the business accepts.
So I threw my efforts behind the controls framework based approach that was emerging as one of the key pillars of IT Security management. That yielded some good results, particularly as coverage became more widespread. There were also good results as the risk management principle was adopted in IT Security management.
However, as the process refined, the objectives shifted from having better IT Security to complying with control frameworks before finally settling (in some cases) on getting a compliance “tick”. My colleague Bernie Ryan has written about that problem. For myself, I found I was telling the story of the Emperor’s New Clothes much more often.
I’ve changed my mind - these days I see Penetration Tests as valuable, particularly in these two situations:
Where a business believes it has a mature IT Security program based on compliance reports, a Penetration Test can be a vital instrument in determining whether IT security efforts are addressing what really matters – i.e. the ability to protect against, detect and repel cyber intrusions. This is doubly so when I think about how much more risk businesses take these days in the hyper-connected world.
Penetration Tests also have a place in shaking out IT Security complacency. Serious cyber-security incidents are low frequency, high impact events. Management teams can take the absence of serious incidents as confirmation of adequacy, but unless they are paying proper attention to the issue, it’s just as likely to be dumb luck as good management. A Penetration Test normally reveals where the truth lies.
In Shakespeare’s Hamlet, Laertes is just about to take a boat to Paris away from his father’s influence. His father, Polonius, seeing this as his last opportunity to instruct his son, closes with a few words that begin with this famous, oft-quoted line – “This above all: To thine own self be true”. In modern times this is sometimes taken to be a whimsical direction to follow your heart, to do what you want to do. While there is some argument about what Shakespeare meant most scholars are sure it wasn’t that.
Many think Polonius was telling his son to make good choices – choices that encourage and enlarge his character and enhance his reputation. In this way he was being “true” to himself. I see it more literally – I think Polonius was reminding his son about the importance of trying to be honest with himself - “And it must follow, as the night the day, Thou canst not then be false to any man.”
IT Security is a serious business. When it’s done badly, reputation and value can be destroyed in a matter of minutes and hours – in extreme cases lives can even be put in jeopardy. Penetration Tests can be a crude and narrow tool, but, done well, they will cut through the illusion of security to tell you something real and true about your efforts. If you are serious about cyber-security that is something you need to embrace.
About the Author
Clem Colman is an experienced business leader and IT Security specialist.
He is a Principal Consultant at UXC Saltbush.