If I had a Dollar – penetration testing and security myths from Steve Darrall, Securus Global Practice Manager

May 22, 2012

If I had a dollar…..part 1 of (well, who knows?)

This post will be the first in a series from Securus Global where we dispel a few information security myths that we hear on an all too regular basis to the point that if we were paid every time we heard them we’d be sunning ourselves on a quiet pacific island. :-)

No doubt, you’ve heard most of these yourselves and may wonder if you’re alone. You’re not.

So without further ado, here’s our first installment…

Once security testing is complete, we’ll put it into production”. This isn’t the best of project management approaches to take from our experience. Any project should allow time for remediation and retesting activities to take place. Security testing shouldn’t be seen as a tick in the box on your project schedule.

“Please take issues X, Y and Z out of the report”. The outcome of security testing isn’t always very palatable to a project. While some issues may not give the project a ‘good look’, the outcome of security testing should provide a ‘warts and all’ overview of a project’s security posture so that risks can be managed appropriately.

“But we use SSL”. SSL provides transport layer security between two endpoints (as long as it’s correctly configured). Once unencrypted data leaves the encrypted SSL tunnel it is no longer protected. Also, the use of SSL does not immediately resolve security issues and indeed, comes with many of its own.

“We’re safe, we use Macs”. There was once a time where the number of reported security issues in operating systems on Apple hardware were somewhat less than certain other nameless operating systems. This was more a consequence of a lack of research being performed than the operating system being inherently more secure than others.

“I’ve got extensive penetration testing experience, just look at my certifications”. As somebody who reviews security consultant CVs on an all too regular basis, this is one of my favourite myths. It can be easily dispelled with a formula: certifications!=competence.

“We’ll accept the risk”. This is something that project teams will often say. What they can fail to understand sometimes is that a project may find the risk profile of a particular issues palatable to accept because their main concern is that their project isn’t delayed. However, risk treatment is something that should be assessed by the sider business, not an individual project.

“We adopt a defence in depth strategy”. The easiest analogy we can use to dispel this myth is that saying this is the same as putting 10 skinny guys who can’t fight in front of Mike Tyson and expecting as Mike fights them one at a time, eventually one of them will take Mike out. Rather, you should be putting 10 well built people in front of Mike to wear him out and get him to move onto an easier target.

“We don’t have anything that would interest a hacker”. An organisation shouldn’t just assume that an attacker may want to steal something for the business to be a target. A business needs to assess what other damage, aside from just informational theft could be caused if they were attacked successfully; like brand and reputational damage.

“That issue won’t be a problem in the real world because the bad guys won’t find it like you [Securus Global] did”. There are often times during security testing where due to compressed timeframes for a project, we need to have more information than would be immediately available to a malicious hacker, this doesn’t mean that the hacker would not have access to the information, it would just take them a while to find it. Never assume anything.

“Operating system X is better than operating system Y”. As we alluded to above with reference to Apple operating systems, there is a software platform for every function, but there is very rarely a one size fits all approach. Some may say that Holden cars are “better” than Ford cars but this generalisation isn’t going to be correct in all cases.

When we started looking at security myths, we realised we could write a book on them. They’re interesting and so as mentioned, we’ll add new ones every month.

Since you’re at the coalface yourself, we’d love to hear about the ones you encounter that give you a laugh, or  cringe. :-) Until next month.

penetration testing | The SG Crowd

Leave a Reply

Your email address will not be published. Required fields are marked *