Mar 16. 2020

Penetration Testing vs. Comprehensive IT security assessment

Penetration Testing vs. Comprehensive IT security assessment

Recently, one can observe a hype around penetration testing. If you look at the job postings, now everyone is looking for a penetration testing expert ideally with a CEH “Certified Ethical Hacker” credential.

I believe that this tendency towards pen testing stems from a lack of awareness how to assess and improve an organization’s overall security posture.

External security assessment

Penetration testing does bring great benefits when it comes to identifying vulnerabilities to external cyber security threats. It does point out weaknesses or misconfigurations of the firewall, VPN access management issues, unintended or open backdoors.

Does penetration testing fall short of management’s expectations?

Well, it does not as long as management has a clear understanding what the scope of penetration testing does and does not include.

Comprehensive external and internal security assessment

A comprehensive IT security assessment has a much broader scope and requires a greater commitment from senior management. It has time, resources and financial implications way beyond a penetration testing exercise.

An internal security assessment would look into IT control design effectiveness and efficiency related to:

  • DLP “Data loss protection and data leak prevention”
  • IAM “Identity and Access Management”
  • Change Management
  • Development
  • Incident response plan
  • DRP “Disaster Recovery Plan” etc.

Obviously, the list above entails an exhaustive review of a number of IT domains. This would be a daunting task to any IT audit function. As a result, a risk-based approach could/should be applied to prioritize the various IT security risk exposures.

One has to recognize that a comprehensive IT security assessment should look into the implications of the pen test results to the enterprise architecture, configurations management, incident response etc. So, the pen testing should be a launch pad for further detailed analysis and evaluation of key weaknesses and interdependencies.

How would you perform such an analysis?

I suggest to take a closer look at Open Group’s FAIRTM (Factor Analysis of Information Risk) model.

This IT security risk assessment and analysis methodology can complement your pen testing results with further risk identification and quantification.

What are your thoughts on pen testing only vs a comprehensive IT security assessment?


If you like my post, Do not forget to give Thumbs Up and post your comments.


#penetrationtesting #ITsecurity #cybersecurity #hacking #ITriskassessment

2 0

Leave a Reply

Your email address will not be published. Required fields are marked *