Requirements for conducting VA & PT – Take 2
Soe people ae under the mistaken impression that a Pen Test simulates a hacker's action. We get ridiculous statements in RFPs such as:
The tests shall be conducted in a broader way like a hacker will do.
LOL! If a real hacker is doing it then its not a test 🙂
Seriously: what a hacker does might involve a lot more, a lot more background research, some social engineering and other things. It might involve "borrowing" the laptop or smartphone from one of your salesmen or executives.
Further, a real hacker is not going to be polite, is not going to care about what collateral damage he does while penetrating your system, what lives he may harm in any number of ways.
And a real hacker is not going to record the results and present them in a nicely formatted Powerpoint presentation to management along with recommendations for remediation.
Requirements for conducting VA and PT tests
On one of the lists I subscribe to I saw someone make this alarming comment:
There may be better and cheaper ways, but I suspect that an outsider
walking in and gaining root on your core database is much more
convincing than an auditor pointing out the same vulns.
That is a very sad situation to be in, since it
- shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
- has no guarantees about what collateral damage the outsider had to do to gain root.
- says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
- indicates that your management doesn't understand or make use of a proper development-test-deployment life-cycle
Yes, it is more dramatic, in the same way that Hollywood movies are more dramatic.
What drives the RA? Need or Fashion?
A colleague in InfoSec made the following observation:
My point - RA is a nice to have, but it is superfluous. It looks nice
but does NOTHING without the bases being covered. what we need
is a baseline that everyone accepts as necessary (call it the house
odds if you like...)
Most of us in the profession have met the case where a Risk Analysis would be nice to have but is superfluous because the baseline controls that were needed were obvious and 'generally accepted', which makes me wonder why any of us support the fallacy or RA.
It gets back to the thing about the Hollywood effect that is Pen Testing. Quite apart from the many downsides it has from a business POV it is non-logical in the same way that RA is non-logical.