It’s sometimes hard to make the case for cost effective penetration testing, often because organizations aren’t yet at a mature enough cyber security stage that a pentest will yield any real and measurable value. So first and foremost, it’s important to have other security processes in place before diving into what can be seen as a surgical strike to an infrastructure. If an organization’s asset and patch management aren’t in place, if regular automated security assessments aren’t part of the organization’s security posture, there is little benefit to a penetration test. The exception would be during the product development phase: in the case of software or hardware development, there is a good deal of value to be attained from engaging in pentesting in the late stages of development.
Few things are scarier that your run of the mill penetration test bringing to light a vulnerability that has been present for a long time and admitting that it is feasible that an attacker may have gained a foothold into the corporate environment or a segment of the network that was otherwise believed to be secure. Perhaps your SOC doesn’t have visibility over that part of the network, or (and this is very often the harsh reality) there is no visibility over egress traffic, so if the attacker is already on the network your security analysts are completely blind-sided. Now what?
ChaosNet was born sitting next to a stranger that during the course of a short flight from Houston to Seattle became a friend. During that flight we talked about a million different things but something he said struck a chord with me: “Did you know that Chinese symbol for ‘chaos’ literally means “a place of dangerous opportunity”?. It’s a great way of seeing things, and while later on I discovered that to be somewhat inaccurate, never the less… here we are.