Debunking Popular Myths About Pen Testing

When it comes to a security staple like penetration testing, we all have preconceived notions that make this practice seem quite challenging. The need to rotate vendors, interruptions to normal business, or even testers causing security risks are some that you often hear thrown around. But are they true? The short answer is no. In this blog, we’ll put these myths to rest and bring the truth about pen testing and all of its benefits to light.

But are they true? The short answer is no. In this blog, we’ll put these myths to rest and bring the truth about pen testing and all of its benefits to light.  

Tall Tales We All Believe About Pen Testing  

Every security practitioner has some sense of the efficacy of penetration testing services. So why do we hesitate? Like Mark Twain once stated, “It ain’t what you know that gets you into trouble. It’s what you know for sure that just ain’t so.” In that spirit, let’s poke a few holes at what we “know.”

Myth #1: Pen Testing Will Significantly Disrupt Network Operations

Only if it’s done carelessly. Typically, if there are any disruptions at all, they are pretty minor and very temporary. It’s true; you need to take a step back to go forward. Driving requires pulling over for gas and walking requires you to bend down and tie your shoes. But overall, the minor inconvenience is worth it when you consider the massive benefits.

To offset any minor adjustment in flow, plan appropriately and choose a reputable vendor. Smaller providers may be limited in their resources, forcing you to work on their timelines. Larger, more established pen testing vendors schedule on your time – even on nights and weekends. Email your employees about blackout windows and develop the mindset that a small disruption is well worth it to avoid a long-term outage that a real breach may cause.

Use this to your benefit. Set expectations at the outset and be open with employees that can be informed when a pen test is being run. If they understand the importance of pen testing as much as you do, they’ll be much more likely to endure any slight inconveniences that might occur (like a temporary spike in bandwidth) if they know what’s at stake if they don’t. This transparency also translates into a more security-aware company culture.  

Myth #2: Vendors Need to be Rotated 

While there is no regulatory statute stating that organizations need to rotate their pen testing contractors, it often feels like an unwritten rule. The logic behind this is that one team will catch what the other leaves behind. And this logic holds up. Each pen tester has a “very particular set of skills” and can bring something different to the table. But today you can find pen testing service vendors with multiple unique pen testers on call. They can easily swap out skillsets, give you a different perspective, and change things up all while maintaining continuity.  

When you start in with a pen testing service, a lot goes into getting to know your company, its architecture, your goals and security objectives – even an organization's personal style. When you've found a vendor that you trust, switching out pen testers or even pen testing teams from their internal pool is a way to get the best of both worlds.  

Myth #3: Pen Testers Use Illegal or Unapproved Methods to Gain Access 

Quite to the contrary. Not only is it best practice, it is often a regulatory requirement that testers stay within the bounds of what’s lawful. Only industry standard methods and tooling are used, which are provided to customers as part of the rules of engagement. Proper authorization is what draws the line between ethical and unethical hacking, between professional penetration testers and digital vigilantes, and between right and wrong.  

In addition, the right pen testing vendor will put analysts in communication before and during the test to address any concerns that may arise. But the short answer is, no. When an organization grants explicit permission and a pen testing provider is completely transparent about their techniques, tools, and methodology, everything is perfectly above board. This also implies absolute confidentiality on the part of the vendor.  

However, because this myth proliferates, many are concerned that penetration puts their network at risk. Good pen testing tools have error prevention mechanisms to ensure they leave no trace. For example, Core Impact has programmable self-destruct capabilities, so no agent is left behind after testing to drain resources or be used as a potential backdoor for attackers.  

Myth #4: If You Have Vulnerability Management, You Don’t Need Pen Testing

Vulnerability management and penetration testing are intended to work together. VM tools identify and prioritize CVEs, assigning them a score based on their severity. Pen testing tools are used to go in and determine how at-risk those CVEs really are in context. Does the organization already have protective policies in place around this high-score vulnerability? Is this low-score vulnerability living on a service that exists on the edge and is in imminent danger? While vulnerability scans provide a valuable picture of what vulnerabilities are present, penetration tests can add further insight to that picture with additional context.

Here are a few examples of the two tactics’ complimentary features.

Here’s what VM tools can do:

•    Scan your environment and identify vulnerabilities
•    Prioritize CVEs 
•    Create a report of all identified and prioritized CVEs

And here’s what pen testing can do to complement VM tools:

• Identify which vulnerabilities are causing the most risk. A low-score CVE could open up ways for attackers to pivot to critical areas on your network, so you can’t take vulnerabilities at face value.
• Distinguish which CVEs are already protected. That they may exist is true; that you need to necessarily worry about them (at least right now) is up for debate. Pen testing software can identify if compensating security controls (like firewalls) or practical obstacles (like needing access to a secured storage facility) offset some of the danger. If so, you can focus on other vulnerabilities first.
• Verify if patches are applied properly. Your VM may have mandated certain fixes, but if mistakes could be made the first time, they can also be made the second time. Penetration tests can determine the status of a patch, making sure what needed to be done actually was, and then was done correctly. A bad patch (where you think a good one is) is even worse than none at all.

The Truth About Pen Testing

Pen testing not only tests effectiveness of your security controls, it also ensures you don’t waste your time or effort when changes of any kind are made. After implementing a state-of-the-art vulnerability management program, don’t you want to see full return on your investment? If you stop there, you’ll be stuck chasing down and patching up vulnerabilities that may not present the areas of most risk.  

With a good penetration test as your guide, you can:

• Assess risk | The CVSS does not tell all. So much of risk is in where the vulnerability is placed, the security context around it, and how well the company is prepared to handle an incident in that area. Pen tests can also tell you which vulnerabilities are just false positives.  
• Validate remediation | Don’t just patch it and forget it. Without the proper oversight, a well-intended patch could exacerbate the problem by not being compatible or breaking something in an adjacent system. Pen tests make sure the fixes don’t become another problem.  
• Vet your security program | Penetration testing also does the double work of checking the effectiveness of your existing security policies and program. It will tell you what’s working – and what isn’t.  
• Maintain compliance | No one wants an audit, but more than that, no one wants to fail one. Increasingly, pen testing is becoming either a mandatory or otherwise core part of compliance requirements such as PCI-DSS and SOC 2.  
• Prepare for real-world attacks | Let’s not forget one of the major components of penetration testing, which is to subject your team, time, and tools to the same sophisticated exploit methods used by real-world threat actors. You get to see how your hard work stacks up and how your security strategy performs against attackers.
• Augment scanning for vulnerabilities | It’s good to know what could cause you harm, but if you have any intention of addressing the situation, it’s necessary to know how. And that means being strategic about your resources and identifying what needs to get fixed first, which is a hidden threat, and what is under control.

Simply put, pen testing protects your security investment by enabling you to close security gaps before they're taken advantage of by malicious threat actors. 

Pen Testing with Core Impact

Fortra’s Core Impact is a solution that in itself busts many of these myths. As part of Fortra's robust cybersecurity portfolio, it is a reputable solution that is minimally disruptive, and uses expert certified exploits and self-terminating agents so testers can safely assess your infrastructure. It also seamlessly integrates and validates vulnerability scans, further demonstrating how these tools work better together.

By leveraging all of Core Impact's capabilities, teams can do more than “perform a pen test.” They can establish a long-standing proactive security staple that will minimize risk and protect valuable assets.

About the Author

Mieng Lim, Vice President, Product Management has served as a security expert for Digital Defense, Inc. since 2001. Mieng takes a consultative approach to security having held prior roles in Operations, Quality Assurance and Sales Engineering. Mieng seamlessly blends technical expertise with real world scenarios to provide an entertaining and educational cyber security perspective. Mieng serves a mentor and STEM advocate encouraging young women to pursue careers in security and technology and volunteers with BSides San Antonio as a staff member. Mieng holds a Bachelor’s Degree in Computer Science with Minor in Sociology from Trinity University.