In the world of penetration testing, there are a lot of myths and misnomers surrounding the types of penetration tests, how penetration tests are conducted, etc. Today, we look to debunk 5 common myths of penetration tests and help you maximize the value from your next penetration test.
Common Myths of Penetration Tests
- “We guarantee after our service, you cannot be hacked” – If someone tells you this, run in the other direction as fast as you can. There are no guarantees in the security world and no penetration test (or any sort of security service for that matter) that can 100% prevent a breach. While penetration tests can certainly assist you in improving your security hygiene, the security world constantly evolves with new technology, there are zero-day exploits, etc.
- “A vulnerability scan is just as good as a penetration test for a fraction of the cost” – We would like to emphasize “fraction of the cost”….if you were buying 2 identical cars, same year, same make, model, etc., and one was a fraction of the cost, would you think they are equal in value? Same goes with a vulnerability scan vs. a penetration test. As the name implies, a vulnerability scan is just that, an automated scan with little to no human input. A penetration test is conducted by a live engineer and goes much deeper than just a vulnerability scan. We recommend you augment an annual penetration test with quarterly vulnerability scanning.
- “The engineer performing my penetration test does not really matter” – Back to our car analogy, would you want someone that has never worked on a car before to fix your brakes? Or would you prefer someone with years of training, experience, and certifications under their belt? The same goes for your penetration test. We highly recommend vetting who will be performing your penetration test, their background, and their certifications. This ensures you are getting a high value assessment by a qualified engineer with experience backing their skills.
- “We have an internal team that conducts our penetration tests, we do not need a third party“ – Having an internal team that conducts penetration testing is excellent and shows your dedication and commitment to your security program. However, there can be blind spots, biases, and various other factors (e.g. internal politic) that can influence an internal teams results. By having an objective, unbiased third party conduct your penetration test, it ensures you are getting another set of eyes on your assets to ensure nothing has been overlooked. To use another analogy, when building a home, there are inspectors that come in along the way to ensure everything is being done properly and by the book. Home builders are not allowed to conduct their own inspections due to the natural bias associated. Same concept with your penetration tests.
- “During a penetration test, the testing team will attempt to avoid detection and look to go under the radar” – A penetration test is extremely loud and the test team does not generally attempt to avoid any forms of detection. A penetration test is a time-capped exercise and does not account for time to go undetected and avoid active resistance by the blue team. If you are looking for an assessment to test your detection and response capabilities, a Red Team or Purple Team assessment would fit the bill. These assessments are meant to be more threat emulation and they have time built-in for a more “low and slow” approach, countermeasures like IP rotation, and a variety of techniques outside of network-based penetration testing.
As you can tell, there a many myths when it comes to the penetration testing realm. At Triaxiom, our goal is to be as transparent as possible and help ensure that you and your team understand what you are getting, the value it will add, and how we approach the end-to-end process. Have any questions or want to get started on a penetration test? Contact us today to get started.