What should we think about Penetration Tests?

Submitted by webmaster on Mon, 05/31/2021 - 15:41
Cyber traditional approach

 

What are penetration tests?

 

As its name indicates, it is for an organization to make a number of attempts to intrude into their information and communication system.

The objective of these tests is to detect flaws and weak points in order to evaluate the level of protection and resilience of the system.

 

Limitations of this approach

 

These tests are conducted on a system in production:

 

  • which presents significant risks

  • it is not possible to conduct destructive tests

  • tests that are conducted are most often based on known, documented cases

  • they focus on the component of access to systems, databases, network, sometimes to some software

  • they must be carried out in a recurrent, adapted and updated manner, in principle for each addition or modification, evolution of any system component

 

In other words, these tests present risks of disruption and do not allow a completely reliable evaluation.

 

 

If they are not useless, they induce real and very important additional risks

 

  • because they call on external hack experts to avoid biasing the tests and to get as close as possible to real attack conditions,

  • you communicate strategic, sensitive and confidential information to third parties,

  • you take the risk of paying your future hacker to learn, test and harm you. A commercial or contractual agreement with a company cannot protect you from the individual or personal behavior of a malicious person...

 

In other words, you add high risks and you pay for!

 

 

What should be done?

 

As early as June 2017, the Gartner Group issued a report about the value of using simulation tools for the Cyber Security area.

Announcement about his strategical approach to cybersecurity called CARTA (Continuous Adaptive Risk and Trust Assessment) suggests that it will be a requirement for most organisations the use of a cyber range as a hardening tool to IT infrastructures

 

The problem is that this new approach is difficult and costly to implement because it requires investment in highly specialized and rare tools and skills, and the whole system must be constantly kept up to date with endless developments.

For small and medium-sized organizations, in practice this is unthinkable, even for large organizations due to lack of skills and economic reasons. 

 

This is why ERALYS build a Service As A Solution Cybernetic Services Platform

 

 

ERALYS build a "Cyber Security Test Platform"

Covering wider typical fields and treated by a tool called SIMOC for SIMulation Operation Control.

 

 

With SIMOC

  • operations are done in an accurate replica which allows any tests, including destruction,

  • you manage your strategic information yourself and keep it confidential

  • you avoid investments, reduce operating costs

  • you benefit, if necessary, from customized assistance of Eralys' specialized teams, who ensure permanent monitoring and tools evolution for you.