Five steps to successful and cost-effective penetration testing
Spending your time and money well
Computerworld - Whether you hire outside consultants or do the testing yourself, here are some tips for making sure your time and money are well spent.
1. Set goals. Make sure you know before you start your penetration testing what you want the results to encompass. Adding in too many systems can be overwhelming and costly.
2. Assign staff and resources to the project. Penetration testing can be expensive, so you might as well get the most out of your consultant's time, says Joe Basirico, senior training engineer at Security Innovation Inc. He recently worked on a project where the client did not assign staff to assist him and, unbeknownst to him, had only allocated a laptop for remote access. Each night, while Basirico conducted his tests off-site, the remote server would time out. He eventually found out that the company's cleaning person would close the lid on the laptop dedicated to his testing. Basirico called this lack of attention to the project a waste of their money.
3. Offer your tester documentation. The more information you share about your systems, the less legwork they have to do to come up to speed, which is less time on the clock. Include details about the types of encryption you use and system configurations.
4. Prioritize the results. Once you've got the results of your tests, map them to your goals. You can't tackle everything so make sure you do a solid risk assessment of the vulnerabilities to lead the way. Try to check things off the list that have immediate payback for your clients' security.
5. Understand no network is perfectly secure. It can be shocking to receive the results of a penetration test, according to Chris Nickerson, security services lead at Alternative Technology Inc. But it's better to know what you're dealing with and fix it than to have a false sense of security and pay the price later.
(Seeking free assessment and testing tech? We've got you covered.)
Pen testing for fun and profit
Read more about Endpoint Security in Computerworld's Endpoint Security Topic Center.
- Mitigating Multiple DDoS Attack Vectors It's time to rethink and refine the enterprise security architecture, so organizations can remain agile and resilient against future threats. Download this infographic...
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Reducing the cost and complexity of endpoint management IBM now offers simpler, more affordable solutions for improving endpoint security, patch compliance, lifecycle management and power management within midsized organizations. Read this...
- Agility & Scalability for Oracle EBS R12 and RAC on VMware vSphere 5 This white paper outlines extensive performance and scalability testing of Oracle EBS applications on a Vblock™ Systems with vSphere 5.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Endpoint Security White Papers | Webcasts