Five steps to successful and cost-effective penetration testing

Spending your time and money well

Whether you hire outside consultants or do the testing yourself, here are some tips for making sure your time and money are well spent.

1. Set goals. Make sure you know before you start your penetration testing what you want the results to encompass. Adding in too many systems can be overwhelming and costly.

2. Assign staff and resources to the project. Penetration testing can be expensive, so you might as well get the most out of your consultant's time, says Joe Basirico, senior training engineer at Security Innovation. He recently worked on a project where the client did not assign staff to assist him and, unbeknownst to him, had only allocated a laptop for remote access. Each night, while Basirico conducted his tests off-site, the remote server would time out. He eventually found out that the company's cleaning person would close the lid on the laptop dedicated to his testing. Basirico called this lack of attention to the project a waste of their money.

3. Offer your tester documentation. The more information you share about your systems, the less legwork they have to do to come up to speed, which is less time on the clock. Include details about the types of encryption you use and system configurations.

4. Prioritize the results. Once you've got the results of your tests, map them to your goals. You can't tackle everything so make sure you do a solid risk assessment of the vulnerabilities to lead the way. Try to check things off the list that have immediate payback for your clients' security.

5. Understand no network is perfectly secure. It can be shocking to receive the results of a penetration test, according to Chris Nickerson, security services lead at Alternative Technology. But it's better to know what you're dealing with and fix it than to have a false sense of security and pay the price later.

Back to main story: Six hours to hack the FBI (and other pen-testing adventures)

More about: FBI, Speed
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/138/driverscanner-2010/

DriverScanner 2010

DriverScanner scans your computer and provides you with a list of drivers that need to be updated. All you have to do, then, is simply ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia