Submit Search
Upload
Is Penetration Testing Worth It
•
0 likes
•
274 views
V
vikasraina
Follow
Yes and Nos of Penetration Testing
Read less
Read more
Report
Share
Report
Share
1 of 2
Recommended
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin
Pen Testing Explained
Pen Testing Explained
Rand W. Hirt
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
The Rise of the Purple Team
The Rise of the Purple Team
Priyanka Aash
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
Jonathan Marcil
Cyber Security Testing - Protect Your Business From Cyber Threats
Cyber Security Testing - Protect Your Business From Cyber Threats
BugRaptors
Network Security in a Virtualized Environment
Network Security in a Virtualized Environment
LiveAction Next Generation Network Management Software
GartnerComodo_AEP_Newsletter2016
GartnerComodo_AEP_Newsletter2016
Eric Staudinger
Recommended
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin
Pen Testing Explained
Pen Testing Explained
Rand W. Hirt
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
The Rise of the Purple Team
The Rise of the Purple Team
Priyanka Aash
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
Jonathan Marcil
Cyber Security Testing - Protect Your Business From Cyber Threats
Cyber Security Testing - Protect Your Business From Cyber Threats
BugRaptors
Network Security in a Virtualized Environment
Network Security in a Virtualized Environment
LiveAction Next Generation Network Management Software
GartnerComodo_AEP_Newsletter2016
GartnerComodo_AEP_Newsletter2016
Eric Staudinger
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended Use
Kaspersky
What's a MITRE with your Security?
What's a MITRE with your Security?
MITRE - ATT&CKcon
Digital strategy - security
Digital strategy - security
Nansje
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE - ATT&CKcon
Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!
Sebastien Deleersnyder
Penetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
3 Hkcert Trend
3 Hkcert Trend
SC Leung
So... you want to be a security consultant
So... you want to be a security consultant
abnmi
BeyondCorp Myths: Busted
BeyondCorp Myths: Busted
Ivan Dwyer
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Simone Onofri
Nucleus small
Nucleus small
Stijn Jans
Information Security Do's and Dont's (2015)
Information Security Do's and Dont's (2015)
Alexey Kachalin
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a Criminal
Infosec
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
Building an InfoSec RedTeam
Building an InfoSec RedTeam
Dan Vasile
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE - ATT&CKcon
ITIL With Information Security
ITIL With Information Security
vikasraina
SIEM
SIEM
vikasraina
More Related Content
What's hot
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended Use
Kaspersky
What's a MITRE with your Security?
What's a MITRE with your Security?
MITRE - ATT&CKcon
Digital strategy - security
Digital strategy - security
Nansje
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE - ATT&CKcon
Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!
Sebastien Deleersnyder
Penetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
3 Hkcert Trend
3 Hkcert Trend
SC Leung
So... you want to be a security consultant
So... you want to be a security consultant
abnmi
BeyondCorp Myths: Busted
BeyondCorp Myths: Busted
Ivan Dwyer
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Simone Onofri
Nucleus small
Nucleus small
Stijn Jans
Information Security Do's and Dont's (2015)
Information Security Do's and Dont's (2015)
Alexey Kachalin
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a Criminal
Infosec
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
Building an InfoSec RedTeam
Building an InfoSec RedTeam
Dan Vasile
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE - ATT&CKcon
What's hot
(20)
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended Use
What's a MITRE with your Security?
What's a MITRE with your Security?
Digital strategy - security
Digital strategy - security
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!
Penetration testing reporting and methodology
Penetration testing reporting and methodology
3 Hkcert Trend
3 Hkcert Trend
So... you want to be a security consultant
So... you want to be a security consultant
BeyondCorp Myths: Busted
BeyondCorp Myths: Busted
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Nucleus small
Nucleus small
Information Security Do's and Dont's (2015)
Information Security Do's and Dont's (2015)
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a Criminal
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Building an InfoSec RedTeam
Building an InfoSec RedTeam
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
Viewers also liked
ITIL With Information Security
ITIL With Information Security
vikasraina
SIEM
SIEM
vikasraina
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
IBM Security
Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
HP ArcSight
HP ArcSight
Mohamed Zohair
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
Anton Chuvakin
SIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
Viewers also liked
(10)
ITIL With Information Security
ITIL With Information Security
SIEM
SIEM
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
Beginner's Guide to SIEM
Beginner's Guide to SIEM
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
HP ArcSight
HP ArcSight
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM Architecture
SIEM Architecture
Similar to Is Penetration Testing Worth It
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Falgun Rathod
What is Penetration Testing?
What is Penetration Testing?
Rapid7
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
martinvoelk
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
South Tyrol Free Software Conference
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
211 Check
Vulnerability Management
Vulnerability Management
GFI Software
Penetration Testing Guide
Penetration Testing Guide
Badawy Abd El-Aziz
Information Security
Information Security
divyeshkharade
Web app penetration testing best methods tools used
Web app penetration testing best methods tools used
Zoe Gilbert
Backtrack manual Part1
Backtrack manual Part1
Nutan Kumar Panda
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
Pen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurity
TestingXperts
What is VAPT & Why is it Important for Your Business.pptx
What is VAPT & Why is it Important for Your Business.pptx
BluechipComputerSyst
Building an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
centralohioissa
Cracking the Code: The Role of VAPT in Cybersecurity
Cracking the Code: The Role of VAPT in Cybersecurity
ShyamMishra72
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
ElanusTechnologies
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
The goal of a Code Review Security Aardwolf Security.docx
The goal of a Code Review Security Aardwolf Security.docx
Aardwolf Security
How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..
Sprintzeal
Similar to Is Penetration Testing Worth It
(20)
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
What is Penetration Testing?
What is Penetration Testing?
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
Vulnerability Management
Vulnerability Management
Penetration Testing Guide
Penetration Testing Guide
Information Security
Information Security
Web app penetration testing best methods tools used
Web app penetration testing best methods tools used
Backtrack manual Part1
Backtrack manual Part1
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
Pen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurity
What is VAPT & Why is it Important for Your Business.pptx
What is VAPT & Why is it Important for Your Business.pptx
Building an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
Cracking the Code: The Role of VAPT in Cybersecurity
Cracking the Code: The Role of VAPT in Cybersecurity
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
The goal of a Code Review Security Aardwolf Security.docx
The goal of a Code Review Security Aardwolf Security.docx
How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..
Is Penetration Testing Worth It
1.
Vikas Raina©
Security Expert Advisory Council© Is Penetration testing worth it? Scope: Come‐on lets be practical and do a real pen test. There are security experts generally who insist penetration testing is essential for network security, and you have no hope of being secure unless you do it regularly. And there are contrarian security experts who tell you penetration testing is a waste of time; you might as well throw your money away. Both of these views are wrong. The reality of penetration testing is more complicated and nuanced. Penetration testing is a broad term. It might mean breaking into a network to demonstrate you can. It might mean trying to break into a network to document vulnerabilities. It might involve a remote attack, physical penetration of a data center or social engineering attacks. It might use commercial or proprietary vulnerability scanning tools, or rely on skilled white‐ hat hackers. It might just evaluate software version numbers and patch levels, and make inferences about vulnerabilities. It's going to be expensive, and you'll get a thick report when the testing is done, Tools and right people play a major role. Becoz management wants to see what’s Bad really to Business. And that's the real problem. You really don't want a thick report documenting all the ways your network is insecure. You don't have the budget to fix them all, so the document will sit around waiting to make someone look bad. Or, even worse, it'll be discovered in a breach lawsuit. Do you really want an opposing attorney to ask you to explain why you paid to document the security holes in your network, and then didn't fix them? Probably the safest thing you can do with the report, after you read it, is shred it. Given enough time and money, a pen test will find vulnerabilities; there's no point in proving it. And if you're not going to fix all the uncovered vulnerabilities, there's no point uncovering them. But there is a way to do penetration testing usefully. For years I've been saying security consists of protection, detection and response‐‐and you need all three to have good security. Before you can do a good job with any of these, you have to assess your security. And done right, penetration testing is a key component of a security assessment. I like to restrict penetration testing to the most commonly exploited critical vulnerabilities, like those found on the SANS Top 20 list. If you have any of those vulnerabilities, you really need to fix them. If you think about it, penetration testing is an odd business. Is there an analogue to it anywhere else in security? Sure, militaries run these exercises all the time, but how about in business? Do we hire burglars to try to break into our warehouses? Do we attempt to commit fraud against ourselves? No, we don't. Penetration testing has become big business because systems are so complicated and poorly understood. We know about burglars and kidnapping and fraud, but we don't know about computer criminals. We don't know what's dangerous today, and what will be dangerous tomorrow. So we hire penetration testers in the belief they can explain it. There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you're going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I'm going to save you a lot of money by giving you this free penetration test: You're vulnerable.
2.
Vikas Raina©
Security Expert Advisory Council© Moral: Now, go do something useful about it, Like The security team behind Google's mobile platform, Android, has tried to raise its profile among security researchers by appealing for their vigilance in monitoring the platform and do a real check Thanks Vikas Raina Sr Leader and Security Expert Domain: Corporate Information Security and Digital Forensic Investigation Certf’s : CISSP®, CCSP®,CCNP®, C |EH, ITIL, PRINCE‐2©, DFCA© “Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard.”