6 Ways to Get the Most out of Your Penetration Test
A penetration test is so much more than simply finding vulnerabilities. Why are you conducting a penetration test? What is the underlying business outcome you are hoping to achieve? You may want to find vulnerabilities to avoid getting breached, or maybe you need to give confidence to a customer who is considering using your organisation as one of their suppliers. Whatever the reason, it is important that you keep this in mind throughout the process.
Inform your consultant and explain the outcome you’re hoping to achieve. This will allow them to relate vulnerabilities to real-life business challenges you’re currently facing. Here are my 6 tips to consider in preparation for your penetration test.
1) Conduct a Vulnerability Scan
As a penetration tester, I always ask my clients to make our lives more difficult. When we're doing a penetration test, we love the challenge, and we love seeing stuff that's not commonly available. Conduct a vulnerability scan and fix those common issues, patch highly critical vulnerabilities and essentially get the obvious stuff out of the way before we even come in.
This will give you more value from the penetration test and allows the consultant to focus on the harder-to-find vulnerabilities; the more manual stuff, the stuff that scanners don’t pick up.
That's what penetration tester’s love to do and that's what we want to focus on. We don't want to find the vulnerabilities that can be found using an automated tool.
2) Take Advantage of the Consultant
The consultant that you hire will (hopefully) be an expert in their field. They are basically a hacker that you've hired to do this professionally, right? They should have a very good understanding of business level security and an intimate knowledge of the technical aspects. So, if you want to learn more about information security in general, it doesn't just have to be about the penetration test specifically, it can be about all things info-sec, just talk to them!
At Content Security our team of offensive consultants live and breathe information security. We love to talk about security, especially if we’re doing an internal penetration test and sitting right next to our client. We’re here to do a job, but we’re also here to have fun! (Penetration testing is legitimately fun for us!)
Don’t forget that penetration testers are essentially hackers – they’re just ethical too. They can absolutely show you some of the things that they see, some of the things that they do, and how they potentially got into your network, what exploits they used etc. The more you understand about how a hacker thinks, the better equipped you’ll be to handle the real cyber criminals.
3) Have Requirements a Week Prior to Starting
Most people assume this is common knowledge. Unfortunately, that’s not the case…And it can really mess up a penetration test if you don't provide all of these requirements to your consultant ahead of time.
Whatever the requirements are for your penetration test; it might be IP addresses, it might be URLs to your web application, it might be credentials to that web application, it might be a network diagram etc. At a minimum, these need to be available on the day of the penetration test. At Content Security, we request we get these a week before so that we can find any potential issues well-before we begin testing.
These requirements are something you can work out with your consultant well ahead of time. During the kick-off meeting or an onboarding session for the project, you can work out the objectives as well as requirements.
4) Open the Scope Beyond what you're Testing
Sometimes we get penetration test’s where our customers have completed a new project and need it tested. For example, they've created a new web application or a new feature for that web application and they restrict the scope to just that application. When I dig a little deeper and ask them:
"So, what are your goals for doing this penetration test?" (Again, going back to that first point.)
Client: "Well, we want to make sure that an attacker can't get into our database and steal our client information or steal our sensitive information."
Right? Like a common thing for attackers to do.
If that's the goal, if that's what you want to prevent, there's a good chance that an attacker's not going to go through the front door. A cyber-criminal is not going to use this new application to achieve that goal, they're going to go through a different server.
So yes, although there is a new piece of technology, or a new system that requires testing, it shouldn't be the only thing that is tested if your goal is to avoid cyber criminals.
If you think about the goals of your penetration test rather than what you want tested, it can open-up your scope in a way that's beneficial for you. Allowing the consultant to discover real vulnerabilities and real attack vectors that might not be discovered if you'd restrict the scope to one or two servers.
5) Action the Report
Again, this does sound obvious, however it's not as obvious as simply following our recommendations. As penetration testers, we understand that it can be much harder than that. There can be restrictions like budget, expertise, time, and availability, or maybe the vulnerability is in a third-party software that you don't have access to?
Due to these restrictions, an action to the report is not always going to be “just fix everything.”
Instead, we may recommend smaller tasks to do in the meantime to reduce your risk until you can fix or patch certain vulnerabilities. Essentially at this stage, it is critical you work with your consultant to ensure you work through the findings of the report to achieve the objectives.
One of the most disheartening things for us to see is when we complete a penetration test for a customer, year after year, and we see the same vulnerabilities. It really makes us feel like we've failed and - to an extent - we did if the client still has the same vulnerabilities.
For this reason, at Content Security we offer a free re-test for vulnerabilities discovered in the external environment after we’ve allowed time for the customer to remediate. Funnily enough, when it comes to remediation, the most successful customers we see are software development firms. Most likely this is because they treat security vulnerabilities as bugs in their software. They will have a ticket assigned to each vulnerability and that ticket will be assigned to a team member with an SLA for them to fix it.
As part of that, they might reach out to us and request help or more detail about a particular vulnerability, but at least every action has an owner, and your consultant should always be happy to help.
6) Perceive the Penetration Test in a Positive Light
Finding vulnerabilities and issues within your eco-system can often irritate the people responsible for that eco-system. For this reason, it is important to approach the penetration test with the right mindset.
We're not saying that the work you did is bad, we're just saying you might've overlooked something. Everyone does, we're all human.
Ensure you find a consultant that will help you deliver the results in a positive light to your board, your developers, your system admins and any other stakeholders involved.
I guarantee you if we found an issue in your organisation, we've found that issue somewhere else at least ten times, so you're not the only ones. This is what I mean by keep it positive, at least you're being proactive about it, and at least you know about the problems, you're not hiding your head in the sand!
- Conduct a vulnerability scan and make life as difficult as possible for the testers.
- Take advantage of the consultant because they are a human and they’re here to help.
- Be ready with your requirements at least one week before starting.
- Open the scope beyond what you're just testing.
- Action the report.
- Perceive the penetration test in a positive light.