Five steps to successful and cost-effective penetration testing

Spending your time and money well

By Sandra Gittlen

May 27, 2008 12:00 PM ET

Computerworld - Whether you hire outside consultants or do the testing yourself, here are some tips for making sure your time and money are well spent.

1. Set goals. Make sure you know before you start your penetration testing what you want the results to encompass. Adding in too many systems can be overwhelming and costly.

2. Assign staff and resources to the project. Penetration testing can be expensive, so you might as well get the most out of your consultant's time, says Joe Basirico, senior training engineer at Security Innovation Inc. He recently worked on a project where the client did not assign staff to assist him and, unbeknownst to him, had only allocated a laptop for remote access. Each night, while Basirico conducted his tests off-site, the remote server would time out. He eventually found out that the company's cleaning person would close the lid on the laptop dedicated to his testing. Basirico called this lack of attention to the project a waste of their money.

3. Offer your tester documentation. The more information you share about your systems, the less legwork they have to do to come up to speed, which is less time on the clock. Include details about the types of encryption you use and system configurations.

4. Prioritize the results. Once you've got the results of your tests, map them to your goals. You can't tackle everything so make sure you do a solid risk assessment of the vulnerabilities to lead the way. Try to check things off the list that have immediate payback for your clients' security.

5. Understand no network is perfectly secure. It can be shocking to receive the results of a penetration test, according to Chris Nickerson, security services lead at Alternative Technology Inc. But it's better to know what you're dealing with and fix it than to have a false sense of security and pay the price later.

(Seeking free assessment and testing tech? We've got you covered.)

Pen testing for fun and profit

Read more about Security Hardware and Software in Computerworld's Security Hardware and Software Topic Center.

Comments ()

Additional Resources

WHITE PAPER

Forrester Consulting - Optimizing Users and Applications in a Mobile World

Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

WHITE PAPER

Enter the Security KnowledgeVault

Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

WHITE PAPER

Cut Communications Costs Once and for All

New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Top Stories

Free Insider Guide

Excel 2010 Cheat Sheet: Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.

Security Hardware and Software White Papers

DLP Solutions and Strategies Reviewed: According to the 2011 Verizon Data Breach Report, 96% of data compromises were avoidable and 86% were discovered by someone other than the...
Overcome Top 7 Admin Challenges of Active Directory: As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
Insiders Can Ruin Your Company. Take Action.: Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
Top Solutions and Tools to Prevent Devastating Malware: Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
Streamline Compliance and Increase ROI: Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...

Security Hardware and Software Webcasts

Optimizing Networks for the Cloud: Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere: Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere: Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware: Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
Virtualize Business-Critical Applications with Confidence: Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®...