Security: How to get the best value from penetration testingNov 2, 2017
The CIOs on the CIOCAN/TELUS Executive Advisory Board raised some very interesting questions when we sat down recently to talk all things cybersecurity. One key question up for discussion was whether organizations should consider penetration testing (pen testing), or so-called ‘ethical hacking.’ My response: Yes and No.
Why No? 100% chance of success
In my 20 years of working on security, the most important lesson I have learned about pen testing is that it is often employed at the wrong time and for the wrong reasons. Today, we understand that the software that makes up our critical networks and systems contains vulnerabilities that can be exploited.
Based on this shared understanding, I asked the CIO’s at the meeting to estimate the success rate of a pen test against a network with known vulnerabilities - and they got it right immediately: 100%. There isn’t a network anywhere with unpatched vulnerabilities that can’t be compromised. So, for many companies, pen testing simply proves this fact yet again.
A better strategy is to use new security tools to identify network assets, scan them for vulnerabilities we already know about and put in place a hygiene program to keep those assets fully patched. Once those practices are in place, then a pen test looking for other ways to breach the network can be of great value.
Why Yes? Best practices for penetration testing
If you need to get your organization’s attention, a pen test can be worthwhile. An experienced and credible third-party tester can document the existence of vulnerabilities and provide recommendations to help get you the support required to get on track to better cyber hygiene. However, if no follow-up action is taken, there is no return on investment.
Here at TELUS, we focus on Secure-by-Design. We test as we develop, making sure we find holes and plug them before we deliver solutions to our customers. Pen testing performs a valuable function in this process and avoids the cost of bolting on security later.
Even with the Secure-by-Design approach, many companies engage in regular pen testing to ensure that older applications and critical private customer data are checked regularly to ensure that they find the gaps before the hackers do. Even then, breaches can happen and you always have to be prepared.
How can TELUS help you?
There’s no question that cybersecurity risks are increasing in frequency, severity and design. That’s why, as TELUS deploys more high speed fibre optic capabilities across Canada, we are being more vigilant than ever. We’re applying our in-house security expertise to monitor potential attacks on our customers’ homes, offices and IoT networks, ensuring that we and our customers have the capabilities to prevent attacks and remediate them if they do occur.
Learn more about security solutions to protect your business.