Five Penetration Testing Challenges that Should Concern Organizations
By Divyansh Arora, ERMProtect IT Security Consultant
Penetration tests of an organization’s IT infrastructure can be invaluable. They help organizations bolster their cybersecurity posture and gain deep insights into how “open” their infrastructure is to attackers. Penetration tests also help organizations comply with various applicable regulatory requirements.
Since penetration testing is so “mainstream” today, it becomes easy to overlook some of the critical challenges that they pose. These challenges, if not managed correctly, can leave your organization vulnerable to attack, cause unneeded expense, and minimize the value of your cybersecurity spending.
Having performed thousands of penetration tests for clients since 1998, we’ve seen penetration testing evolve over the years. Unfortunately, the challenges have evolved with them, too. Let’s dive into a few of these so your organization understands how to avoid getting tripped up the next time you contract for penetration testing services.
Challenge #1 – False Positives
It is all too common these days for penetration testing companies to run an automated tool against a client’s IT infrastructure and provide the results in the form of an adapted report. These automated tools have some benefits, such as the speed of scanning and updated signatures for the latest vulnerabilities. But their big downside is that they will throw off several false positives. You might think this isn’t your problem. Well, it is. As a CISO/CIO, imagine handing two of your technical resources the penetration testing report with instructions to fix the vulnerabilities that were identified. They could spend a couple of weeks attempting to fix these “issues” only to find out that they were false positives. That’s time and resources down the drain. A good penetration testing company will use both manual and automated tests and know how to weed out or minimize false positives.
Challenge #2 – “Go Easy”
Understandably, several client organizations are concerned about disruptions in their IT infrastructure. As a result, they may expect the penetration testers to “go easy” on their infrastructure and not “break anything.” On the other hand, though, think about how real hackers would hit your organization. Would they hold back? And herein lies the challenge. When you are performing a penetration test on your infrastructure, your goal is to identify how easy or difficult it is for a real hacker to get in. This should include testing how easy it is to bring down your infrastructure since that’s exactly what happens during a denial-of-service attack. The good news is that there is a middle ground here. Organizations can set up test infrastructures that can then be tested in a “no holds barred” manner. That way your production infrastructure remains untouched. The bad news, though, brings us to our next challenge.
Challenge #3 – Lack of a Test Environment
Not all organizations will be able to set up a test environment that mirrors the production environment. A mirrored test environment requires organizations to spend some time, money, and resources upfront. While mirroring entire infrastructures can indeed be challenging, individual web applications, databases, or other such individual infrastructure elements can be mirrored into a test environment without a significant investment. And this is definitely something that organizations should look to do. You will get a much more comprehensive test of your infrastructure. And you will know exactly how well your infrastructure will be able to withstand a real-world hacker attack. A good penetration testing company will provide guidance on this task.
Challenge #4 – Limited Test Accounts
Web application penetration tests often involve client organizations providing us with test user accounts. These test accounts are important as they help penetration testers like us perform a deep-dive test of the inner workings of the web application. However, it’s also important that we test using multiple test accounts with varying privilege levels so that privilege escalation attacks across accounts can also be tested. Unfortunately, organizations sometimes provide only one test account, and this can result in a suboptimal test. This is low-hanging fruit, and we highly recommend that your organization provide more than one test account to your penetration testers.
Challenge #5 – Limiting the Scope
Modern times have brought modern technologies with them. Today, everything from cars and pacemakers to cameras and printers is connected to the Internet. These IoT devices often have very poor cybersecurity controls, serving as perfect entry points for hackers. We always recommend that penetration testing include all devices and IP addresses that can connect to the Internet. Security is only as strong as your weakest link. Limiting the scope of your penetration tests to leave out such devices could leave you with a false sense of security.
Conclusion
Remember, it isn’t enough to perform periodic penetration tests. The way they are conducted is equally important. To get bring value to your cybersecurity efforts, work closely with your penetration testing company to ensure that the challenges addressed in this article are addressed.
To learn about our penetration testing services, please contact Silka Gonzalez at [email protected] or call 305.447.6750.
Divyansh Arora is an Information Security Consultant at ERMProtect Cybersecurity Solutions where he performs vulnerability assessment and penetration testing, along with PCI DSS assessments for various clients across the globe. He holds a master’s degree in Information Technology – Information Security from Carnegie Mellon University.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights