CYBER INSIGHTS

PENTESTers are FAILING Businesses

Remember the days of attending a client site to execute a Penetration Test (pentest) with expensive automated penetration testing tools, produce a bunch of visually pleasing colourful reports and super special canned messages?

So the client thinks because you’ve found some vulnerabilities they are protected right?

Well, you are misleading businesses.

Many penetration testers have created a page of analysis from their tools of choice, pointed the finger of blame at obvious security flaws and quietly swanned off premises with $20k in their pocket. Although not explicitly negligent and maybe not penetration testers fault, the scope is often poorly managed, misdirected and probably disengaged from the client’s real objective. It is no wonder pen-testers simply do what they think is best which is a down and dirty vulnerability scan and a quick look over the firewall.

Today’s ICT environments are widespread, complex, and rarely offline at any one point in time. Penetration tests can be useful to provide a part of the picture but must be treated as complementary to a detailed cyber security assessment, not the solution itself. To their credit, many GOOD penetration testers have morphed their offering to include a closer look at process, compliance, and strategy but are all too often hamstrung by the limited engagement periods or lacklustre and hostile IT teams. In modern times, the reality is penetration testers are only part of a cyber security strategy.

And here’s a tip – Penetration Tests are not the first thing your business should do!

Big business and governments continue to use targeted penetration testing successfully, but they have deep pockets and can target previously assessed weaknesses or specific vulnerabilities. With a Bring Your Own Device (BYOD) policy becoming the norm, a booming cloud services industry and almost 100% of the workforce mobile, the attack vectors that are present on today’s networks can only be addressed by using a holistic, broad and iterative assessment approach. The use of penetration testing is one more tool – not THE tool – in the businesses cyber arsenal.

The question small and medium businesses should ask before enlisting the services of a penetration tester:

"Is this really the best use of my Information Security budget?"

Find out how ParaFlare can assist your business – Contact us now!

April 11th, 2017