Tick in the Box Penetration Testing (and why it’s bad)
Penetration testing should always reflect a measured approach to tackle the problem at hand, which is to ensure your systems are resilient from criminal attack. A penetration test should do this by simulating said criminal attacks, and attempt to gain access to your systems, people and premises.
The marketplace is still clouded with firms that offer a “penetration test” that merely scratches the surface and helps customers “tick a box” for compliance purposes, be this ISO 27001, PCI DSS, NHS IG Toolkit or DPA requirements.
At the end of the day, if you choose a tick in the box approach and seek a penetration test based merely on cost savings alone, then this boils down to negligence, that could potentially bring both yourself and the company you work for into disrepute. Yet far too many firms still appear to be doing this, and inevitably leave systems untested, and thus exposed to the outside world.
It’s always frustrating for reputable penetration test companies to put in a perfectly good bid for work, yet be undercut by someone that doesn’t know what they’re doing. As companies are told they just need to “tick the box”, then companies will of course be led on price.
Organisations must think about “why” they need to tick the box, and what that box is there for. It’s there so that you can readily demonstrate that your systems, people and premises have been appropriately tested, and not that you have bought the cheapest penetration test you can afford, that perhaps focus on external networking elements only.