Paul Asadoorian has summed it up quite nicely in EP 373 of the Security Weekly Podcast.
A good pentest not only answers the question “can my controls be breached?” but also the following questions:
- How can I be breached?
- How much damage to my business can a breach do?
- Where am I most likely to be breached given my current defenses?
- What can an attacker do once he has breached one system?
- Do I have capabilities to detect a breach?
- How long will it take me to detect the breach?
- How well will people in my organization react to a breach or someone trying to breach one of my systems?
I just wanted to take down those questions for you and me, because they might come in handy when arguing once again over what a good or bad pentest is.
You need to be a member of Dissecting The Hack to add comments!
Join Dissecting The Hack