What are the drawbacks of penetration testing?
If you find yourself wondering is it really a good idea to get a penetration test or what risks are involved, that is a very good question.
While the pros of pen testing generally outweigh the cons, there are disadvantages that you should be aware of. Penetration tests could be disruptive to your organization, inadvertently expose sensitive information, expensive, or overwhelm your defensive teams.
Let’s take a look.
Industry Push for pen testing
Everywhere you turn in information security, penetration testing and vulnerability assessments are pushed as being critical components of an organization’s security program.
ISO 27001, SOC2, PCI DSS, and GDPR all require or strongly recommend having penetration tests performed on a regular basis.
As cyber attacks continue to evolve in both impact and frequency, the demand for pen tests only continues to increase. According to some researchers, the demand will grow the market from $1.7 billion in 2020 to $4.5 billion by 2025. Some companies see it as a way to get ahead of the bad guys so you don’t become a victim.
Some companies are still hesitant to open their doors to hackers and allow them to break their systems. And rightfully so.
There are drawbacks.
Pen testing Cons
Some of the cons of pen testing include disruption to the business, having to trust testers to be ethical, misleading results, partial visibility, time intensiveness, false satisfaction, inadvertent exposure, reckless pen testers, unforeseen consequences, actually introducing exposure, and false alert fatigue to your security team
- • Trusting the pen testers – You are putting a lot of trust into the company that you hire to conduct a penetration test and the employees they bring. You are literally asking them to conduct illegal activity on your behalf. (It becomes legal when you ask, of course). This requires a high degree of trust. But how do you find companies that you can trust do conduct your pen testing?
- • Damage and Disruption - Penetration tests don’t always go according to plan, unfortunately. Pen tests can crash servers, cause network communication to slow to a crawl, add bad data to your databases, and have many other negative impacts.
• Results can be misleading – the pen test doesn’t always end in the testers completely pwning your network or system. In fact, many times, the testers don’t completely “destroy” your system, but instead, find numerous vulnerabilities that can cause serious problems when combined. This does sometimes leading to the defensive team feeling confident they can keep the bad guys out. While it’s a great moral boost when the blue team defeats the red team, it doesn’t mean smooth sailing thereafter.
• Not comprehensive – This is perhaps, the biggest downside to penetration testing. Because the assessments have a finite testing period, testers can only find so many vulnerabilities. Criminal attackers have the huge advantage of time on their side. They can wait and do reconnaissance as quietly as possible and for as long as they need to. This problem is compounded when the company receiving the tests limits the scope of the assessment too much. Many pen tests, for example, do not allow any form of social engineering. Criminal attackers are almost certainly likely to use social engineering at some point in their attack.
• Time intensive and costly – there's no question that pen tests are not cheap, especially when you hire a respectable consulting firm. There’s also the time commitment of your own team that you must consider. Pen tests will create a lot of “noise” in your systems that your defense team must analyze to ensure that it isn’t an attacker.
• Reckless penetration testers – Sad to say, not all pen testers are careful. They can be reckless or simply ignorant of the effects of the types of tests they’re conducting or the tools that they are using. This is especially true of junior testers who don’t have a deep knowledge of how the tools they are using work. It’s important that you discuss the types of tests to be performed and the skill levels of the testers. But again, skilled testers do cost more.
• Inadvertent negative impacts – there are a host of things that can go wrong during penetration tests. Legacy systems that are online could crash and be completely lost. You simply don’t know how systems will respond. This could be especially critical for certain industries. For example, we were doing an assessment on a hospital network once that had several systems for remotely controlling pace makers. It could have been catastrophic if those systems malfunctioned, so we isolated them from the assessment.
• Can introduce exposures – if the testers do not properly note their actions and clean up when they are done, they could be leaving your systems with more exposure than when you started the assessment. If the testers leaves a backdoor on a web app they are assessing, that back door could be accessible by anyone on the internet henceforth.
• False alert fatigue to your defensive team – like we mentioned earlier, pen tests are extremely noisy. They can create a lot of alerts that your security operations center must track down to ensure they are from the test and not criminals. Since most companies keep their pen tests secret for at least a few days of the assessment in an effort to monitor response, your defense team can become quickly overwhelmed. It’s important that the individual who requested the pen test keep an eye on the alerts being generated so they can monitor the response and know when it may be time to spill the beans.
How PTaaS Addresses the cons
Pen testing Pros
Now, not everything about penetration tests is bad. There are a lot of good things. That’s why more and more companies are incorporating penetration testing into their cyber defenses. Some of the benefits of penetration testing include identifying unknown vulnerabilities, findings exploit chains that could be disastrous, testing for logic abuse, specific recommendations, proactive security that prevents breaches, being good for incident response tests, and providing realistic attack scenarios.
- • Identifying unknown vulnerabilities – The whole point in getting a pen test done is finding weaknesses and vulnerabilities that you didn’t know existed, right? That’s a huge pro. If bad actors can make use of a vulnerability to exploit your systems, that could lead to serious down time and even financial loss.
- • Finding exploit chains – something that the majority of automated testing and scanning solutions can't identify is vulnerabilities that can be chained to cause serious damage. Humans can find these, which means criminals can as well.
• Logic abuse tests – This is something that regularly comes up on penetration tests. Logic abuses take advantage of failures in the way a program’s logic works. For example, Uber once had a logic flaw in which customers who couldn’t be matched against a certain database were not charged for their rides. Because the response wasn’t what the application expected, the if statement allowed them a free ride. Finding these types of vulnerabilities can be a great advantage.
• Specific recommendations – The report that you receive after a penetration test is invaluable. The testers literally tell you step-by-step what you need to do to resolve the vulnerability.
• Proactive security steps – Many times, the advise that you receive during a pen test helps your company improve the security posture of your organization. If vulnerabilities are traced back to the root cause and addressed, you can greatly improve your security posture.
• Incident response testing – while pen tests are thought to find vulnerabilities, they are a great time to do an incident response test as well. If your security defense team does not know that a penetration test is occurring, you can use the opportunity to monitor their response to the situation and provide feedback and recommendations for ways to improve your incident response plan and procedures.
• Realistic attack scenarios – when properly scoped and handled, pen tests can provide quite realistic attack scenarios for you to judge just how the attack could play out and whether your controls are sufficient to identify and contain the incident.