SecurityInformed.com
  • Products
    Video Surveillance
    • Surveillance cameras
    • Video Surveillance software
    • IP cameras
    • Digital video recorders (DVRs)
    • Dome cameras
    • Network Video Recorders (NVRs)
    • IP Dome cameras
    • Security camera lenses
    Access Control
    • Access control readers
    • Access control software
    • Access control controllers
    • Access control systems & kits
    • Intercom Systems
    • Electronic lock systems
    • Access control cards/ tags/ fobs
    • Access control accessories
    Intruder Alarms
    • Intruder alarm system control panels & accessories
    • Intruder detectors
    • Intruder alarm warning devices
    • Intruder alarm communicators
    • Intruder alarm accessories
    • Intruder alarm lighting systems
    Topics
    • Artificial intelligence (AI)
    • Counter Terror
    • Cyber security
    • Robotics
    • Thermal imaging
    • Intrusion detection
    Climax Unveils Hybrid Security System

    Climax Unveils Hybrid Security System

    Hanwha PNM-9085RQZ Multi-Sensor Camera

    Hanwha PNM-9085RQZ Multi-Sensor Camera

    Ava Aware Cloud: Simple, Smart Security

    Ava Aware Cloud: Simple, Smart Security

  • Companies
    Companies
    • Manufacturers
    • Distributors
    • Resellers / Dealers / Reps
    • Installers
    • Consultants
    • Systems integrators
    • Events / Training / Services
    • Manned guarding
    Companies by Product area
    • CCTV
    • Access control
    • Intruder alarm
    • IP networking products
    • Biometrics
    • Software
    • Digital video recording
    • Intercom systems
    Topics
    • Artificial intelligence (AI)
    • Counter Terror
    • Cyber security
    • Robotics
    • Thermal imaging
    • Intrusion detection
  • News
    News
    • Product news
    • Corporate news
    • Case studies
    • Events news
    Latest
    • Ferrero Rocher Outfits New Global Headquarters In Luxembourg With Custom Golden Boon Edam TQA Automatic Revolving Door
    • Allied Universal Announces The Acquisition Of Atlanta-Based Security Company, SecurAmerica
    • DigiCert Reaches Milestones For Nordic Region Expansion With Growing Customer Base And Channel Partner Community
    • Viking Electronics Unveils PA-250-IP High-Powered Rack-mounted Amplifier For Unicast And Multicast Paging
    Topics
    • Artificial intelligence (AI)
    • Counter Terror
    • Cyber security
    • Robotics
    • Thermal imaging
    • Intrusion detection
  • Insights
    Insights
    • Expert commentary
    • Security beat
    • Round table discussions
    • Security bytes
    • Round Table Expert Panel
    • eMagazines
    • Year in Review 2020
    • Year in Review 2019
    Featured
    • Safety In Smart Cities: How Video Surveillance Keeps Security Front And Center
    • Which new buzzwords reflect the security industry’s trends?
    • Biometrics Provides Industries With Security, Access Control And Data Protection
    • Retail Security In 2021 And Beyond
    Topics
    • Artificial intelligence (AI)
    • Counter Terror
    • Cyber security
    • Robotics
    • Thermal imaging
    • Intrusion detection
  • Markets
    Markets
    • Airports & Ports
    • Banking & Finance
    • Education
    • Hotels, Leisure & Entertainment
    • Government & Public Services
    • Healthcare
    • Remote Monitoring
    • Retail
    • Transportation
    • Industrial & Commercial
    Topics
    • Artificial intelligence (AI)
    • Counter Terror
    • Cyber security
    • Robotics
    • Thermal imaging
    • Intrusion detection
    Dahua Technology Installs HD CCTV Cameras With Smart Analytics Using AI To Secure Iconic Battle Of Britain Bunker

    Dahua Technology Installs HD CCTV Cameras With Smart Analytics Using AI To Secure Iconic Battle Of Britain Bunker

    Oliver Law Security Installs Vanderbilt ACT365 Security System To Protect One Of Doncaster’s Largest Gyms, The Fitness Village

    Oliver Law Security Installs Vanderbilt ACT365 Security System To Protect One Of Doncaster’s Largest Gyms, The Fitness Village

    Hikvision IP CCTV Systems Protect Visitors And Stores At Somerset Mall In South Africa

    Hikvision IP CCTV Systems Protect Visitors And Stores At Somerset Mall In South Africa

    CLIQ® Access Control Solution From ASSA ABLOY Helps Secure Museums, Shopping And Indoor Leisure Sites

    CLIQ® Access Control Solution From ASSA ABLOY Helps Secure Museums, Shopping And Indoor Leisure Sites

  • Virtual events
    Virtual events
    • Video Surveillance
    • Access Control
    • Video Analytics
    • Video Management Systems
    • Integrated Systems
    • Asset Management
    Events
    • International security
    • Regional security
    • Vertical market
    • Technology areas
    • Conferences / seminars
    • Company sponsored
    Topics
    • Artificial intelligence (AI)
    • Counter Terror
    • Cyber security
    • Robotics
    • Thermal imaging
    • Intrusion detection
    Capture New Opportunities With Computer Vision And Video Analytics

    Capture New Opportunities With Computer Vision And Video Analytics

    Maximizing 8K Resolution & LPR Solutions for Stadiums, Municipalities and Government

    Maximizing 8K Resolution & LPR Solutions for Stadiums, Municipalities and Government

    Vanderbilt ACT365 With Schlage ENGAGE Locks

    Vanderbilt ACT365 With Schlage ENGAGE Locks

    How Open Supervised Device Protocol (OSDP) is Revolutionizing Access Control Systems

    How Open Supervised Device Protocol (OSDP) is Revolutionizing Access Control Systems

  • White papers
    White papers
    • Video Surveillance
    • Access Control
    • Video Analytics
    • Video Compression
    • Security Storage
    White papers by company
    • Hanwha Techwin America
    • Eagle Eye Networks
    • ELATEC USA
    • Security & Safety Things
    • Gallagher Security (Europe) Ltd
    Other Resources
    • eMagazines
    • Videos
    Topics
    • Artificial intelligence (AI)
    • Counter Terror
    • Cyber security
    • Robotics
    • Thermal imaging
    • Intrusion detection
    10 Step Guide to Staying Ahead of Emerging Security Threats

    10 Step Guide to Staying Ahead of Emerging Security Threats

    2021 Trends in Video Surveillance

    2021 Trends in Video Surveillance

    5 Security Lessons For Navigating COVID-19

    5 Security Lessons For Navigating COVID-19

    Security Investments Retailers Should Consider For Their 2021 Budget

    Security Investments Retailers Should Consider For Their 2021 Budget

About us Advertise
  • Artificial intelligence (AI)
  • Counter Terror
  • Cyber security
  • Robotics
  • Thermal imaging
  • Intrusion detection
  • Body worn video cameras
  • ISC West
  • Video management software
  • Video analytics
  • COVID-19
  • View all
Cyber security
  • Home
  • About
  • News
  • Expert commentary
  • Security beat
  • Case studies
  • Round table
  • Products
  • White papers
  • Videos
Cyber security

Drawbacks Of PenTests And Ethical Hacking For The Security Industry

Drawbacks Of PenTests And Ethical Hacking For The Security Industry
Andy Jordan
Andy Jordan
Download PDF version
Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Related Links
  • Cyber Criminals Are Ready To Attack Your Business: Are You Ready To Defend It?
  • Avoid Damaging Network Breaches With Reevaluated Cybersecurity
  • Why The Future Looks Bright In Cyberspace For The Security Industry In 2018
  • The Five Questions Bank Security And IT Leaders Need To Answer About Cybersecurity

PenTesting, also known as “ethical hacking” or “white-hat hacking,” has always been viewed as the “sexy” side of cybersecurity, a task that is far more exciting than monitoring systems for intrusions, shoring up defenses, or performing compliance audits.

Numerous security conferences are devoted to the fine art of attempting to hack into systems – with an owner’s full knowledge and permission – and reporting on the results.

At an organizational level within businesses, they also value PenTesting under the premise that it allows them to identify security vulnerabilities before cyber criminals can. There are some regulatory requirements like PCI-DSS that require penetration assessments as part of their PCI compliance.

However, many organizations have come to over-rely on PenTesting, thinking that if all the issues were identified in a PenTest, they’re good to go. Not only is this not helping them improve their security posture, it is also leaving them with a false sense of security.

A penetration test is a simulated, live attack on your environment by a white-hat hacker

What Is PenTesting?

A penetration test is a simulated, live attack on your environment by a white-hat hacker, customized to address specific problem areas, such as web-based applications, mobile applications and infrastructure services like border VPNs and firewalls.

The PenTest may include different types of attacks based on the requested scope from an organization so that the tester attempts to come at each system from all sides, the way a cyber-criminal would. The goal is to identify which systems and data the tester was able to access and how an organisation can address the vulnerabilities that allowed them to get in.

The Limitations Of PenTesting

There is great value in performing periodic PenTests, which is why PCI DSS and other security standards mandate them. However, PenTesting has three significant limitations:

PenTesting does not provide solutions

Let’s be honest: No one likes reading technical reports, but typically, that's the only deliverable provided by a PenTester. The value of a PenTesting report varies wildly based on the scope of the testing, the PenTester’s technical expertise and their writing ability. The tester may miss some things, or not clearly convey their findings.

Additionally, a PenTest is a snapshot in time and the PenTester could miss changes in the systems, configurations, attack vectors and application environments. Even if your system “passes” a PenTest, will it crumble in the face of a brand new, more powerful attack vector that emerges a week later?

The worst type of “PenTest report” consist of an analyst producing nothing more than the results of a vulnerability scan. Even if the PenTester produces a well-written, comprehensive report filled with valuable, actionable information, it’s up to your organization to take the action, which leads to the next limitation of PenTesting.

any security issues that are identified during a PenTest aren't validated, which leads to a misrepresentation of their magnitude

The value of a PenTesting report varies wildly based on the scope of the testing, the PenTester’s technical expertise and their writing ability

PenTesters only exploit vulnerabilities and do not promote change

PenTesting does not highlight the missing links in your organisation's technology stack that could help you address your security vulnerabilities. This is often in the guise of being agnostic to the technologies that exist because their expertise is only offensive security – unless, of course, the performing company has “magic software” to sell you.

PenTests also do not help to develop your organizational processes. Additionally, they do not ensure that your employees have the knowledge and training needed to treat the identified fixes. Worst of all, if your in-house expertise is limited, any security issues that are identified during a PenTest aren't validated, which leads to a misrepresentation of their magnitude and severity while giving your team a false sense of security.

PenTesters are self-serving

Too often, PenTesting pits the assessment team against the organization; the goal of the assessment team is to find the best way to "shame" the business into remediation, purchasing the testing company’s “magic software”, then call it a day.

Once the PenTesters find, for example, a privilege escalation or a way to breach PII, they stop looking for other issues. The testers then celebrate the success of finding a single “flag”. In the meantime, the business is left in a precarious situation, since other unidentified issues may be lurking within their systems.

Shifting The Paradigm Of PenTesting

The goal of PenTesters is to find the best way to "shame" the business into purchasing the testing company’s “magic software”, then call it a day

Penetration testing can uncover critical security vulnerabilities, but it also has significant limitations and it’s not a replacement for continuous security monitoring and testing.

This is not to say that all PenTesting is bad. PenTesting should be integrated into a comprehensive threat and vulnerability management program so that identified issues are addressed. The purpose of a mature vulnerability management program is to identify, treat and monitor any identified vulnerabilities over its lifecycle.

Vulnerability Management Program

Additionally, a vulnerability management program requires the multiple teams within an organisation to develop and execute on the remediation plan to address the vulnerability. A mature threat and vulnerability management plan takes time and is helpful to partner with a managed security services provider (MSSP) to help you in the following areas:

  • Improve your cyber-risk management program so that you can identify and efficiently address vulnerabilities in your infrastructure, applications and other parts within your organisation’s ecosystem on a continuous basis;
  • Perform retests to validate any problems identified through a vulnerability scan or a PenTest assessment;
  • Ensure that your in-house staff has the knowledge, skills and tools they need to respond to incidents.

Cyber risk management and remediation is a "team sport." While periodic testing conducted by an external consultant satisfies compliance requirements, it is not a replacement for continuous in-house monitoring and testing.

To ensure that your systems are secure, you must find a partner who not only performs PenTesting but also has the engineering and development experience to assist you in fixing these types of complex problems in a cost-effective manner and ensuring that your systems are hardened against tomorrow’s attacks.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version
  • Network / IP
  • Electronic security systems
  • Business security systems
  • Physical security
  • Remote security
  • Security monitoring system
  • Network monitoring
  • Remote video monitoring
  • Security training
  • Security software
  • Mobile surveillance
  • Trade Show/Exhibition
  • Cyber security
  • Training services
  • Crime prevention
  • Central Monitoring
  • Data Security
  • Related links
  • Control Software Video Surveillance software
  • Detection Software Video Surveillance software
  • Management Software Video Surveillance software
  • Monitoring Software Video Surveillance software
  • Surveillance Software Video Surveillance software
  • Articles by Andy Jordan
  • Related categories
  • Video Surveillance software
  • Access control software
Related articles
What are the New Trends and Opportunities in Video Storage?

What are the New Trends and Opportunities in Video Storage?

How Can Cybersecurity Impact Physical Security (and Vice Versa)?

How Can Cybersecurity Impact Physical Security (and Vice Versa)?

Security And Safety Things Demonstrates Growing IoT Platform For Security Cameras At CES 2020

Security And Safety Things Demonstrates Growing IoT Platform For Security Cameras At CES 2020

Follow us

Sections Video Surveillance Access Control Intruder Alarms Companies News Insights Case studies Markets Virtual events Events White papers Videos February 2018 news RSS
Topics Artificial intelligence (AI) Counter Terror Cyber security Robotics Thermal imaging Intrusion detection Body worn video cameras ISC West Video management software
About us Advertise About us 10 guiding principles of editorial content FAQs eNewsletters Sitemap Terms & conditions Privacy policy and cookie policy

Subscribe to our Newsletter

Stay updated with the latest trends and technologies in the security industry
Sign Up

DMA

SecurityInformed.com - Making The World A Safer Place
Copyright © Notting Hill Media Limited 2000 - 2021, all rights reserved

Our other sites:
SourceSecurity.com | TheBigRedGuide.com | HVACInformed.com

Subscribe to our Newsletter


Sign up now for full access to SecurityInformed.com content
Download Datasheet
Download SecurityInformed.com product tech spec