By Muthoga Kioni
As youngsters we were told that regular eating of fruits kept the doctor away. The same concept applies in securing a network. Frequent penetration testing is what keeps the intruders away because vulnerable points are identified and sealed.
It is akin to locking and arming your home and enlisting the services of a reputable burglar to attempt an intrusion. Remember Jack Woltz in Godfather who woke up one morning next to the decapitated head of his prized stallion? That was a suitable illustration of how penetration testing can obliterate your physical and psychological defences.
Penetration testing (PT) is a portion of ICT system auditing in which auditors attempt to circumvent the security features of a system. It is a broad area of practice that has different approaches and getting value for money can be tricky.
Security expectations
READ MORE
Unlocking Kenya's next phase of growth through powering SMEs
President Ruto defends NYOTA programme as he slams opposition politics
Trump warns of 'very strong action' if Iran hangs protesters
Before commissioning a PT on their systems, the management should first understand what to expect from it.
They should also establish the basic definition of the exercise. There is a difference between PT in its strictest form and security audit. PT has the aim of breaking into the system by whatever means possible. A security audit tends to be a wider assessment of risk, based on a variety of investigative evidence.
It is important to determine whether it is a penetration test that you want to conduct or a security audit.
Experience indicates that effective tests tend to be those that provide a combination of automated and manual actions. This is because data patterns can be more intuitively interpreted by human beings than by a machine.
Clear evidence
Management should emphasise on a text-book approach of reporting where the report has a summary, a clear separation between descriptions of the context and a presentation of the findings.
This report should, among other aspects, outline the purpose of the PT, its scope, a list of targets and testing dates, and any agreed or unavoidable restrictions.
The final condition to establish is evidence presentation. Evidence must be easy to understand without being riddled with lists and lists of impenetrable data.
Hopefully, this will provide your organisation with some guidance for ensuring that before you perform a PT you clearly outline what you want, the processes and the report format that would be suitable for your organisation.
—The writer (bmuthoga@hotmail.com) is an ICT Security and Forensic Specialist.
