“Chishiki” is Japanese for “knowledge.” e-chishiki.com aims to bring software developers, information security professionals, IT executives and other IT pros a rich body of knowledge in the form of articles, interviews, tutorials and technical discussions. Our contributors are among the biggest names in the Indian IT industry and include noted authors, educators and practitioners.
e-Security Series (Penetration Tests)
Demystifying Penetration Tests – Planning and Managing Tests (Part 4 of 4)
Santosh Satam
The Cost Dimension
The cost of a penetration test is generally a function of the time taken to do it and the skill level of the tester (just as a senior counsel costs more than a rookie lawyer, the same applies with penetration testers). So how long should a test take, and who should you employ to do it?
Diminishing Returns
Most people are familiar with what economist’s term as ‘the law of diminishing returns’ i.e. there comes a point when the value add of additional activity is insufficient to justify the additional investment. In everyday speak, we refer to the 80 / 20 concept which is based on similar principles.
These concepts are relevant and applicable to penetration testing. Provided your penetration tester is skilled, there is a direct correlation between the amount of time allocated to testing and the increased level of security you should achieve. As a penetration test progresses, the rate at which security is being improved slows, and there comes a point in a penetration test where it is no longer efficient to continue the test.
The objective is to test to the point where the level of residual risk is considered acceptable (i.e. it is recognized that the risk of attacks still exists, but estimated that the likelihood and consequence of an attack is acceptable to your business).
Identifying the Acceptable Risk Point
In the previous sections of this paper, we discussed the main principles to be applied in ensuring that a penetration test really made you more secure. These were:
- The penetration test is risk focused, specifically targeting those assets that represent the greatest risk to an organization
- The penetration testing is conducted in the same manner that would be utilized by a would be attacker
- The penetration test is carried out by an ethical hacker who is at least as skilled as a future would be hacker
Applying these principles to your organization will enable you to quickly determine the scope of the penetration test (what aspects of the IT infrastructure should be tested, what kinds of tests should be carried out) and also define an acceptable risk point. Quotations can then be obtained from suitably qualified testers to test to this point.
It is possible that the costs of testing as far as the ‘acceptable risk point’ will exceed your budget. Then, you will have to scale back the scope of the penetration test accordingly – with a clear set of priorities so that even with the increased level of risk, you remain in control and decide how to play the odds.
