Your IT Consultant

What is the Right Pentest Frequency?

September 17, 2014

We are frequently asked this question by our clients and friends. Fortunately, ZDNet has a good post to help answer the question. Besides the answer (it depends), there is good material explaining what a penetration test is and how it is misunderstood by most businesses.

The short answer is that unless penetration testing is required by law or regulation (e.g. PCI DSS), too many businesses perform this test AFTER there has been a data breach. Therefore, the pentest is part of the damage control effort in trying to determine what happened and how the bad guys got your data. Another problem is the mentality that there is a “one size fits all” strategy and that the pentest will solve all your problems and uncover how someone gained unauthorized access.

Penetration testing is more than just firing up a piece of software, checking a few boxes and letting it rip. Effective pentesting includes emulating how a hacker would attempt to compromise your environment and gain access to the company’s crown jewels. This includes attempting to get employees to click on something they shouldn’t or to give up login credentials through social engineering. Attacking vulnerable home systems of key employees is also in scope.

At the end of the day, there is no silver bullet or simple answer as to how often you should perform a penetration test. The key elements are to assess your risk and value of data in addition to staying up to date with the latest threats. If you are not qualified to make these determinations internally, make sure you get some help.

E-mail:   Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com