Penetrating the security testing myth
by Lee Farman, Acutest. Published in Prosecurity talk September 2005Security testing is big news at the moment, but is an area that is largely misunderstood. It's true that companies are falling over themselves to test whether their systems are secure. It's also true that security testing is making it onto the boardroom agenda.
The problem, however, is that for many companies security testing is synonymous with penetration testing. This obsession with penetration testing - to the detriment of other areas of security testing - leaves British businesses open to potentially serious security breaches.
So why has this obsession taken hold? Probably because penetration testing is easy to justify, from both a budget and business value perspective. It's also relatively easy to find specialists and specialist tools to conduct effective penetration tests.
In contrast, other important aspects of security testing are less tangible and may not be on a company's testing radar at all. In last year's DTI ISBS survey, only four per cent of companies attributed their worst security incident to outsiders attempting to penetrate their systems. Put another way. 96 per cent of security breaches were completely unrelated to people trying to get in from outside.
Even so, one company we worked with believed it had dealt with its security concerns with an approach entirely centred on penetration testing. We were brought in to help when the management team became concerned about the number of internal and staff-related security incidents that occurred after the project had gone live.
So what needs to be done to ensure that companies dispel this distorted view of where their IT vulnerabilities lie?
Our view is that companies need to wipe the slate clean and approach security testing from a more realistic perspective. Some of the key areas that we have seen companies overlook are:.
- Preparation of comprehensive security risk analysis and security policies on projects: often these are created in order to move towards BS7799 certification, but they are rarely checked for effectiveness or rigorously tested.
- Testing the developmental and operational approach, to ensure that security best practice is designed into the solution: one of our customers viewed this as a major issue, especially given the increase in outsourcing of development and operations.
- Incorporating security testing into other forms of testing, rather than testing it in isolation: ring-fencing security testing can increase costs and increases the risk of missing areas such as:.
- testing security during system migration.
- testing security during disaster scenarios.
- testing security when a system is under heavy load.
- Incorporating staff testing processes which minimise the potential security risk posed by staff (eg staff vetting, physical access, identity management).
- Ensuring that test modes in applications and test materials do not allow unauthorised access to future live systems.
- Ensuring that data is security-tested at all levels: outsourcing, and the blurring of the definition of where the security perimeter lies, makes data more vulnerable than ever.
- Allocating resources to the testing of the monitoring, control and auditing procedures.
- Testing that patches are up to date or testing the process for maintaining them.
In summary, don't be seduced by the allure of easy-to-implement penetration testing.
Change your mindset and start to view security testing as a much larger discipline that covers a wide range of areas.
Undertake a risk analysis programme early in the development project and reap the dual benefits of increased clarity in your security concerns and increased confidence that you are dealing with them effectively.
