AverageSecurityGuy

Security, Programming, Pentesting

About

Mastodon

Linked In

Projects

Cheat Sheets

Book

10 February 2011

Do I need an Internal Penetration Test?

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

The answer to this question depends heavily on the maturity of your information security program. Let me explain.

Maturity Level 1

Description

Do I need an internal pentest?

No, an internal penetration test would be like shooting fish in a barrel. You need to start by doing a risk assessment, which should include a list of all your assets, potential risks to those assets, and controls to mitigate the risks. Then, you need to implement the identified controls, which will include written policies and technical controls. The risk assessment should be updated regularly. You may also consider hiring an information security consultant to assist you in the process.

Maturity Level 2

Description

Do I need an internal pentest?

No an internal penetration test would find a number of vulnerabilities but without an effective vulnerability management program you will not see much value in the penetration test. Instead, you should have an outside review of your implemented controls to confirm they are sufficient to mitigate the identified risks. You should also implement a vulnerability management program to identify potential hardware and software vulnerabilities. Your risk assessment, policies, and procedures should be updated based on the results of the controls review and vulnerability assessment.

Maturity Level 3

Description

Do I need an internal pentest?

Yes, an internal penetration test would serve as a valuable method of auditing your vulnerability management program and will also help you identify potential weaknesses in your change management and update management policies and procedures.

Conclusion

I realize this is an over simplification, but the point is an internal penetration test will not provide significant value unless you have a mature information security program in place. Instead, consider either a vulnerability assessment or getting outside help developing an information security program, depending on your maturity level.

tags: infosec thoughts - penetration testing - thoughts