How to Get the Most Out of Your Penetration Test
Most security professionals agree on the value of conducting network penetration tests at least once a year. After all, with cybercrime exponentially on the rise, what organization wouldn’t want to identify their potential security vulnerabilities and gaps before the bad guys do?
However, with shrinking budgets and limited resources, many organizations can be hesitant to schedule a penetration test because of the realization that, once the test formally documents the holes in their environment, they won’t be able to dedicate adequate resources to fix them.
Below are some key points to consider if your organization is struggling to justify a penetration test:
What Immediate Value Does a Penetration Test Provide?
The most important function of a penetration test is not necessarily to find existing vulnerabilities, but rather to provide your organization with data to effectively manage and prioritize overall business risk.
Most organizations are running automated vulnerability scans to help identify potential vulnerabilities that exist in the network. Once these vulnerabilities show up on a scan though, how does the security team know which of the listed vulnerabilities to patch first?
Penetration testing will identify which of the vulnerabilities have greatest potential for impact so the organization can more effectively prioritize their resources. A penetration test will break down vulnerabilities into those that are easily exploitable, pinpoint specific areas of high risk, and identify which vulnerabilities are jeopardizing the organization’s most critical assets.
Penetration testers will also be able to determine the feasibility of different attack vectors, which then allows an organization to have more certainty when deciding where and when to allocate resources. By finding out what the biggest risks to your environment are, you can begin planning accordingly, determine what should be addressed now, and identify what should be added to the future security roadmap. Equipped with the evidence and details of what needs to be fixed first allows you to strategically build in remediation projects to your future budgets.
What is the Organization’s Ultimate Goal for Penetration Testing?
As you consider a potential penetration test, it is important to outline the goals for your organization and clearly identify the primary motivation for having the pen test performed. Below are some of the common reasons why organizations schedule a penetration test:
Identifying security vulnerabilities and gaps
Evaluating / improving security posture
Testing existing defense capabilities
Verifying network changes or new applications are not introducing vulnerabilities into your environment(s)
Meeting legal or regulatory compliance requirements (i.e. PCI DSS, HIPAA, etc.)
Justifying budget allocations for additional security expenses
Protecting customers and/or reputation
Limiting the damage or impact of a potential security incident
Understanding and clearly defining the purpose of the pen test will ensure that you are able to align the work with all of the other priorities and articulate the benefits in terms that are meaningful to the organization’s leadership team.
What Information should be Shared with Your Penetration Testing Team?
Before you get started, have an open planning discussion with the penetration testing team to help them understand your goals and your environment. Identify any high risk and high value systems or applications within your organization that really must be protected from unauthorized access (i.e. protected health information, research data, etc.). Also make sure they know about any network segments or systems that are outdated or haven’t been reviewed in years.
Pointing out high-value targets or those where, if breached, the financial or reputational impact would be high, helps the penetration testing team understand where best to focus time and effort, and how to strategically approach the engagement. Typically, a pen test team will block a set amount of time or days to conduct their testing. If the testers know these critical environments going in, it will help them focus their attempts on accessing these systems or identifying lateral movements that may gain them access to those identified networks. Sharing details about your environments may seem like you are “giving away information”, but this actually allows the team to more quickly familiarize themselves with your organization and then focus the bulk of their time using their expertise to maximize the value of the engagement for you.
How will the Findings be Reported?
The final report should detail not only the technical implications of any vulnerabilities found, but also what the business implications would be if a known vulnerability was exploited by the wrong party.
For example, if the report is going to be shared with the executive team or board, what is the message you want them to hear and how can you get the most impact out of the test? The board will not be as interested in knowing a security header is outdated, but rather will want to understand what internal systems this finding affects or the potential number of sensitive records that could be compromised in the event this vulnerability is exploited.
The report recommendations should also include both technical and operational changes that can be made to help remediate the issue. For example, implementing an email data loss prevention tool might be recommended, but mandating employee training or providing password management tools to employees can also help shore up your defenses. The report will equip your organization and teams with smart, actionable security measures that can be implemented.
The report may include kudos for your security team. If your team was alerted to one of the attack methods in use by the testers or Help Desk employees reported the unusual traffic, this should be documented within the report details. Being able to demonstrate that recent security investments are effective and are making a difference against real-world attacks is invaluable. The penetration test can provide evidence to support increased security investments or to confirm the value of the tools currently in use.
A quality penetration test will not only show you the weaknesses within your environments or internal processes, but also identify where your security teams excel. Vulnerabilities will be categorized into low, medium, high, and critical risks, and help you develop a logical strategy and timeline for remediation. Sensitive information that falls into the wrong hands can be extremely damaging. A penetration test will help your teams be more aware of possible attack vectors, strategically prioritize budgets and resources, and assess the potential impact of a breach. Rather than waiting for a compromise to identify a weakness, a penetration test will determine how well your organization is prepared if, or when, you suffer an attack.
Some additional guidance from CampusGuard’s Offensive Security Team:
[Wheeler]: Vulnerability scanning may identify vulnerabilities present on systems or within the environment, but those scanners are only going to find what they are programmed to look for. Experienced penetration testers are going to look under every stone, in every dark corner, and try to link pieces of information together to see if there is additional risk that an automated scanner could not find. They are going to pull at the threads, and make decisions based on their knowledge and experience, similar to the old “Choose Your Own Adventure” books.
Another way to gauge whether you are getting a quality penetration test is to question how much of the test is relying on automated tooling. Automation is great, but its purpose should be so the penetration testers can focus their efforts on those tasks and testing techniques that require closer attention, not to lower the cost of a penetration test. Question how much experience the penetration testers have. How do they keep their skills sharp? Asking these questions will help you to get the most out of your penetration test.