Proposal / Submission Type
Peer Reviewed Paper
Location
Richmond, Virginia
Start Date
28-5-2014 10:40 AM
Abstract
Penetration testing of networks is a process that is overused when demonstrating or evaluating the cyber security posture of an organisation. Most penetration testing is not aligned with the actual intent of the testing, but rather is driven by a management directive of wanting to be seen to be addressing the issue of cyber security. The use of penetration testing is commonly a reaction to an adverse audit outcome or as a result of being penetrated in the first place. Penetration testing used in this fashion delivers little or no value to the organisation being tested for a number of reasons. First, a test is only as good as the tools, the tester and the methodology being applied. Second, the results are largely temporal. That is, the test will likely only find known vulnerabilities that exist at one specific point in time and not larger longitudinal flaws with the cyber security of an organisation, one such flaw commonly being governance. Finally, in many cases, one has to question what the point is in breaking the already broken.
Penetration testing has its place when used judiciously and as part of an overall review and audit of cyber security. It can be an invaluable tool to assess the ability of a system to survive a sustained attack if properly scoped and deployed. However, it is our assessment and judgement that this rarely occurs.
Keywords: cyber security, penetration testing, vulnerability assessment
Scholarly Commons Citation
Valli, Craig; Woodward, Andrew; Hannay, Peter; and Johnstone, Mike, "Why Penetration Testing is a Limited Use Choice for Sound Cyber Security Practice" (2014). Annual ADFSL Conference on Digital Forensics, Security and Law. 10.
https://commons.erau.edu/adfsl/2014/wednesday/10
Included in
Aviation Safety and Security Commons, Computer Law Commons, Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, Social Control, Law, Crime, and Deviance Commons
Why Penetration Testing is a Limited Use Choice for Sound Cyber Security Practice
Richmond, Virginia
Penetration testing of networks is a process that is overused when demonstrating or evaluating the cyber security posture of an organisation. Most penetration testing is not aligned with the actual intent of the testing, but rather is driven by a management directive of wanting to be seen to be addressing the issue of cyber security. The use of penetration testing is commonly a reaction to an adverse audit outcome or as a result of being penetrated in the first place. Penetration testing used in this fashion delivers little or no value to the organisation being tested for a number of reasons. First, a test is only as good as the tools, the tester and the methodology being applied. Second, the results are largely temporal. That is, the test will likely only find known vulnerabilities that exist at one specific point in time and not larger longitudinal flaws with the cyber security of an organisation, one such flaw commonly being governance. Finally, in many cases, one has to question what the point is in breaking the already broken.
Penetration testing has its place when used judiciously and as part of an overall review and audit of cyber security. It can be an invaluable tool to assess the ability of a system to survive a sustained attack if properly scoped and deployed. However, it is our assessment and judgement that this rarely occurs.
Keywords: cyber security, penetration testing, vulnerability assessment
