There are a number of security benefits that can be gleaned from threat monitoring, automated vulnerability scanning and stringent security policies. However, penetration testing can be a useful asset in identifying exploitable security vulnerabilities and real threats facing your organisation. Penetration testing can become a key feature in assessing your business resilience, but the necessary steps should be taken to ensure that this testing is appropriate, relevant and can offer real value. Without clarity, preparation and scoping, a business may not get the full value from their testing, regardless of the price tag. These steps can be easily overlooked but nonetheless can lead to not all security weaknesses being discovered due to a restricted scope or inadequate resources for testing.
This post will look to outline some of the key steps to consider when arranging a penetration test and maximising the value, both economically and security-wise, from the exercise.
Tip 1: Identify the main drivers behind conducting the penetration test
The main drivers and purpose behind the necessity to carry out the testing should be appropriately evaluated. This step is fundamental in establishing why you require security testing and what you intend to learn from the exercise. It is these criteria that should be referred to during the planning and scoping phases later on to ensure that all testing satisfies your initial requirements.
The most common drivers and reasons for conducting penetration tests are:
- Identifying security weaknesses within a given application or infrastructure
- Changes to IT applications or infrastructure within the existing business
- To reduce the frequency and impact of security incidents or to ascertain your security posture due to a new, perceived threat to the organisation
- To comply with legal and regulatory requirements such as PCI/DSS and ISO
- To provide assurance to customers, suppliers and third-parties that applications can be trusted
- To assess outsourced services to ensure that they do not introduce security threats that could pose a risk to your own organisation
No matter the reasons behind requiring a penetration test, both the scope and environment under test should always reflect your requirements and goals.
Tip 2: Identify the systems or environments for testing
It is imperative that the environments, systems and infrastructure that align to the penetration test’s purpose and drivers are identified. Therefore, once scoping and pre-arrangements are initiated there is a clear, comprehensive outline of all targets that should be included in the testing scope to fulfil the overall goal of the test.
The most common choices for target environments or systems are critical web applications, critical parts of infrastructure (i.e. data centres or corporate networks), external-facing infrastructure and specialised equipment such as corporate mobile devices.
Tip 3: Select a suitable supplier
Once the purpose and systems for testing have been established, an external provider of penetration testing services should be selected to meet your requirements at the right price. This supplier should have a solid reputation, deliver high quality services, provide highly competent testers and have strong professional accreditations such as CREST.
This supplier can then be worked with closely to establish a strong, trusted relationship whereby you can expect the following:
- To have a strong understanding of your requirements and environments under test, as well as being able to communicate the necessary pre-arrangements to deliver the testing engagement
- They will ascertain how you work which, in turn, means that they’ll be able to provide better value and insight. This benefit is particularly so from an established relationship, as current test findings can be balanced against previous engagements to provide a clear depiction of the security improvements made over time
- Direct access to the Penetration Tester to liaise with your teams in order to ensure open dialogue and communication
- Continued communication and support following a penetration test to help you implement the required remediation actions
Tip 4: Avoid arranging a penetration test at the last minute
This tip applies to the initial penetration test as well as the re-test. Sufficient time should always be given for the two aforementioned tips, legal or business approval of the test prior to it starting, scoping and also ensuring factors such as access, documentation and resources are in place.
In regard to re-tests, steps should always be taken to ensure that mitigation and remediation actions have been implemented. This will mean that the most benefit will be drawn from the re-test as it will focus on validating the fixes rather than simply re-testing the same, unresolved security issues again.
Tip 5: Open communication throughout scoping
The scoping process should be heavily invested in to ensure that it appropriately reflects your organisation’s needs. The scoping process should entail two-way communication between the testing team and yourselves to agree a testing plan, required resources, testing pre-requisites, access and the type of testing required. In addition, it is imperative that any testing constraints, whether legal, operational or otherwise, are outlined to ensure that these are not violated during the engagement.
The scope will also include a description of the systems, networks or environments under test. If the aforementioned items are not comprehensively agreed upon or outlined then this could lead to the test not focusing on critical infrastructure or having insufficient resources allocated for it.
Furthermore, following the agreed requirements outlined in the scope, the necessary documentation and information should be made available to the testing team prior to the beginning of the engagement to ensure they are equipped with the correct knowledge to deliver a smooth, thorough test.
The above factors should be informed by the prior planning before the test’s arrangement in identifying both the purpose of the test as well as the systems that require testing to satisfy this purpose.
Tip 6: Allow access to application developers before and during the test
Following on from the last tip, much more value and information can be gleaned during the scoping process and the testing engagement itself, with the inclusion of the application developers in these discussions. This facilitates detailed dialogue that can be invaluable in ascertaining an application’s core functionality and the requirements for testing it when scoping and establishing pre-requisites before the engagement. In addition, when security vulnerabilities are identified during or after the penetration test, the involvement of developers within communications can bypass the risk of misunderstandings and delays in the necessary remediation steps being taken to resolve a given issue.
This open dialogue between all parties ensures that any key questions, unexpected hurdles or the identification of critical security vulnerabilities can be easily communicated and rectified throughout the engagement in a timely manner.
Tip 7: Remediate Security Issues identified during Penetration Test
Whilst a penetration test can inform you of the current security posture of your chosen infrastructure, this knowledge does not bear any fruition if the necessary mitigation steps are not taken. Remediation should be conducted prior to a re-test to ensure that the newly implemented changes are appropriately tested to ascertain whether they have fixed the identified issues as well as check if they have introduced any new security vulnerabilities.
The remediation process should always be carried out by an appropriately qualified and experienced security professional. This process should consist of the following:
- Determining which weakness to address first. This should be done following the evaluation of the business impacts and exposure pertaining to each identified issue
- Reporting weakness to relevant third-party organisations, if required
- Apply the appropriate security fixes such as patching, closing ports, etc.
- Identify the lessons learned and feed these into the longer-term, enterprise-wide security strategies and practices
- Agree a re-test to ensure that the implemented changes have fixed the relevant risks
In summary, when penetration tests are planned properly, delivered correctly and reported clearly, you can discover security shortfalls and weaknesses and receive support in how to remediate these. This comes with the benefits of reduced security costs in the long-term and also improvements in security robustness and confidence in your implemented infrastructure moving forward.
What makes our Pen Testers different?
Complete security cannot be achieved through an entirely automated process. It requires a team that has the knowledge of every technical aspect of cyber security and an understanding of how people behave in real life. It is these skills, along with their ingenuity, that sets our Pen Testers apart from our competitors.
Talking to you directly, with no account manager in between, our team can tailor services to your specific needs and work together or individually to help boost your defences. Working as a team, our Pen Testers can prepare for every eventuality, providing a strong and rigorous pen testing service and achieving results quickly and efficiently.
Contact us to find out more about our penetration testing services.