Should I Get a Penetration Test?

“Should I get a penetration test?”

I get asked this question from time to time. My answer is normally a resounding NO!

What is a Pen Test?: Before I explain further, perhaps you want to know what a penetration test is. Well, it’s typically a simulated cyber-attack executed on your network by a cyber security company you’ve hired. The intent is to find vulnerable computers and then exploit them, like a malicious attacker would do, but in a controlled environment. Sounds great right? Not so fast.

Remember Defense in Depth?: In a recent Cyber Tripwire, we introduced the idea of Defense in Depth (DiD). We described the concept and how you can significantly reduce your risk by building some simple walls around your “castle of Gondor.” The walls are built around your network by applying “controls.” Using 2-factor authentication and setting your computer’s firewall, are examples of technical controls. Declaring in a written document that all your employees will use a 16-character password is an example of an administrative control.  Putting locks on your doors and installing motion sensors are examples of physical controls.

A Physical Security Example: Imagine your business is located in East St Louis where crime is rampant. Would you fail to install door locks? Of course you’d install door locks. And a steel gate you close at the end of the day. And maybe a few Dobermans running loose inside at night. And . . .  well you see my point. It’s easy to understand the value of physical controls in the real world. The administrative and technical controls are a little nebulous.

Foundational Controls: According to the Center for Internet Security (CIS) (, there are some foundational controls and other best practices every small business and home user should implement. CIS provides a spectacular document that even prioritizes the list for you. The problem is, most small business owners don’t know about it, and if they do know about it, they haven’t implemented the most basic controls.  If your business does not have these basic, proper controls in place, there is no sense in doing penetration testing. 

The List: According to CIS the first 6 controls are the basics:

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

So Where is Pen Testing?: So where does penetration testing fit in the CIS framework? Out of 20 main controls, it is number 20. Ideally, you start at number 1 and work your way down to number 20. See, penetration tests (the good ones) are really, really expensive. So, if you don’t implement the other 19 controls, a pentest is going to identify the 19 controls you didn’t implement. But if you didn’t implement them, then you already have a good idea what the pentest results will be.

No Standard: Also, there is no body of governing standards to oversee penetration testing. Any company can do a penetration test for you without any special certification. It’s the wild west out there. So you may pay for a pentest and end up with nothing more than a vulnerability scan of your network.

Recommendation: My recommendation is that you focus on actually DOING security first. Get the basics in place. Leave penetration testing for something to consider down the road.