What’s wrong with blocking your penetration tester?
You’ve invested in technologies that prevent the bad guys from scanning your site and finding problems that they might be able to exploit. To be sure things are working, you commission a penetration test, and ask the penetration tester to see if the defences can be defeated. You block the penetration tester to achieve this.
Surely this is a great way to build confidence that your cyber security investment is delivering benefits for you. That’s common sense, right?
Wrong. Blocking your penetration tester is a terrible idea. Here’s why.
It violates the Defence in Depth principle
Systems that detect and block attacks are fine – but they’re only the outer layer of defence. Do you really want to base your entire security understanding upon the performance of a single component?
Defence in Depth is a cornerstone information security principle. Ignoring it is a pretty risky approach.
It tests the tester, not the target
If a penetration tester has to spend time trying to avoid detection, then testing slows down considerably and the tester will have to work harder in order to evaluate vulnerabilities. Time is also limited, so at the end of the test – what have you learned about the security of your infrastructure?
You’ve probably learned that your data might be safe from a casual, external attacker who is unmotivated and gives up after a short time.
Not very reassuring, is it?
It does not simulate a real-world attack
In the real world, an attacker has time. Lots of time. During that time, he can employ any number of tactics to slowly evaluate you. For example, he may also employ social engineering tactics in order to obtain credentials from one of your staff.
Also – here’s the kicker – he may already have access to your network, completely out of range of your IDS or blocking system.
All in all, blocking your penetration tester means wasting time, money and a failure to deliver the kind of actionable information needed to assess the risks to your organisation and data assets.
Do yourself a favour – white-list your penetration tester and let the dog see the rabbit!