8 Reasons You Need a
Security Penetration Test
Paul T. Yoder
Information Security Specialist
El Camino College District
1. Identify Gaps Between
Security Tools
• Attacks directly focused on individual,
enterprise-class security tools are largely
unsuccessful. Attacks succeed by
exploiting the gaps between different
security tools. Some security tools mesh
better with others – and a penetration test
is one way to verify whether or not your
network has significant gaps between
security tools.
2. Prioritize Risk
• With all the security risks to contend with
these days, it's crucial for InfoSec to
determine how to prioritize risks in order
of importance, so they can be handled
appropriately. There's no better way to
determine priority than to use a pen test
to identify areas of weakness.
3. Discover Backdoors And
Misconfigurations
• Even the most well managed and robust
network infrastructures contain backdoors
– often through misconfigurations.
Sometimes the best way to figure out
where these security holes are located is
to let a third party run a penetration test.
Putting fresh eyes on any network often
unveils security faults which had
previously gone unnoticed.
4. Test Against Multiple Attack
Vectors
• One of the great benefits of an in-depth
pen test is that multiple attack vectors can
be used together to identify complex
vulnerabilities which often go unidentified.
Multiple security tools are pieced together
to create a defense-in-depth strategy to
protect against multi-vector threats.
4. Test Against Multiple Attack
Vectors (cont.)
• The only way to really determine whether
disparate security tools can truly work
together is to validate using the same
multi-vector attack strategies the bad guys
might use.
5. Confirm The Value Of Your
Investment
• Security tools are expensive. One way to
confirm the value of an already
implemented tool – or to confirm more
funding is needed to secure data
resources – is to leverage the results of a
penetration test. Pen tests will show the
(sometimes ugly) truth in regards to your
security stance.
6. Improve Security Response
Time
• Viewing the results of a penetration test
can sometimes be a sobering and stressful
ordeal. But it's important to apply the
knowledge gained toward a better security
posture. One way to do this, with little
investment, is to use the identified
weaknesses and gaps to form a
streamlined security response policy.
6. Improve Security Response
Time (cont.)
• Identify all the key players, their
communications channels, and escalation
procedures. Then, when a real breach
does occur, you'll be better prepared to
handle it in a timely fashion.
7. Provides A Real-World
Measuring Stick
• There's no way a network can be
completely safe from internal and external
threats. Instead, your ultimate goal should
be to be secure enough so that the bad
guys will pass up your infrastructure in
favor of a softer target. A thorough
penetration test provides a great deal of
useful information when measuring your
company's overall security risk.
8. Micro-Level Tests Offer
Macro-Level View
• Penetration testing should be thought of
as multiple, micro-level tests which, when
put together, provide a unique macro-level
view of your entire security posture. No
other security test available today can
provide both a granular and a global view.
Conclusion
• The amount of useful and architecture-specific
information gathered via a pen test is
invaluable to IT security specialists – and the
business as a whole. The benefits highlighted
here show how pen tests help give a high-level
overview, as well as point out areas where
special attention is needed. In the end, a pen
test is likely to strengthen weaknesses, save
money, and eventually build confidence in your
overall security posture.