PENTRATION TESTING – A SERIOUS BUSINESS

 
Churchill Services Group announces the launch of its new rebranded security division Churchill Services Group has today announced the launch of its new rebranded security division – ‘Amulet’. Read on »
Bob Forsyth – GDPR (Sorry don’t fall asleep it’s important) In his latest blog for Infologue Bob Forsyth, Chief Executive Officer at Kings Security writes about the introduction of GDPR and its implications for the security sector. Read on »
Business leader wants “social value” overhaul of government contracts Public sector contracts should no longer be given to the lowest bidder but awarded to “social business” says Phillip Ullmann of Cordant Group. Read on »
Wednesday, 20 June 2018

PENTRATION TESTING – A SERIOUS BUSINESS

Quality guarding contractors, and efficient in-house security management teams, will be measuring the day-to-day effectiveness of their guarding teams through a range of different professional processes. These will include, for example, SLA’s, daily occurrence reports, customer feedback questionnaires, regular meetings with operational personnel, and various other performance measurement tools, writes The Security Institute Chairman, Mike Bluestone. All of these combined measures will contribute to understanding just how effective a team really is. But there can be no doubt that another useful tool in highlighting any gaps in the operational procedures or guarding activities, is by carrying out what are frequently called, ‘Penetration Tests’. Physical Penetration Tests are a proven method of identifying weaknesses and/or vulnerabilities in site operational procedures and Assignment Instructions. Such tests can also be beneficial in pointing out physical security and safety deficiencies. This could include, for example, highlighting the increased safety risks to a security officer who is deployed in guarding an open entrance, without the benefit of a physical barrier in support.

The methodology for actually implementing such tests can vary, but the success of such tests will depend first and foremost, upon the care and professionalism in which they are carried out, and secondly, the imagination and innovation of those tasked to do the testing. One thing that should always be borne in mind, by both the testers and those being tested, is that such tests should never be about ‘finding fault’, or apportioning blame.  Such tests (when carried out professionally) should be seen solely for what they are, namely an independent method of verifying the veracity of a system and the identification of any shortcomings. Indeed, it is not uncommon for the outcome of a test to show that there are no defects or shortcomings. Should such an outcome be termed a ‘failed test’? Not at all.  A ‘failed’ penetration (which reveals no defects) is verification of both the effectiveness of the security team, as well as the robustness of the operational procedures. It’s a ‘win win’ all round. My contention is that even the ‘successful’ penetration of a secure environment, is also a ‘win win’ result. The reason being that it is surely far better to be made aware of a gap in security (which can then be corrected by the ‘good guys’) instead of allowing that gap to be exploited by an adversary.

The message is two-fold. Firstly, only use experienced professionals to carry out such tests, and secondly educate and inform security teams of the true objectives of such tests, namely to identify weaknesses and enable their correction. After all, the final outcome will lead to the prevention of loss of assets, as well as the potential saving of life. Penetration testing is indeed a serious business.

Mike Bluestone MA FSyI MCMI is Director of Security Consulting at CIA Excel Group and the current Chairman of the Security Institute

CIA Excel Website


Leave a Reply

Your email address will not be published. Required fields are marked *

*

Interconnective Security Products