How To Take The Headache Out of Penetration Tests

Whether you want to perform a penetration test within your organization because of a regulatory requirement or to be proactive when it comes to the security, it is well known that penetration tests bring enormous value to any organization. The question lies in how to make it easy and effective for the organization.

Following are some key activities that can take the headache out of penetration tests.

Before the Penetration Test

The first step in performing a penetration test is to have an introductory meeting to set customer objectives and to discuss any concerns. These objectives will guide the creation of the “Rules of Engagement” document which detail the approach and set the expectations from both sides.

At this time, the following actions occur:

• The consultants are introduced to the customer: It’s important to establish a rapport between the customer and the consultant to gain trust and set an open line of communication.
• The list of requirements is reviewed: Depending on the objectives and what is to be tested (scope), a customized list of requirements is created for the customer to review. This includes information such as customer IPs/domains within scope, attack window timeframes, etc.
• The methodology is detailed in a step-by-step manner: The customer needs to understand the activities that will be performed and how.
• The timeline is established: Depending on the scope and access requirements, we develop a timeline to demonstrate our activities throughout the full engagement.
• Customer concerns are addressed: Will there be disruptions? Do I need a test environment? What kind of access do the pen testers need? Will the gathered data be safe? All questions and concerns are answered to get a better understanding of what’s needed from both sides.

During the Penetration Test

It’s important to stay in communication throughout the tests. This could be done via an email chain, IM group or weekly status update meetings. Following are some advantages of staying in constant communications:

• Address any issues: Last minute questions and concerns occur frequently, and constant communications make it easier for employees to share any thoughts.
• Perform troubleshooting: Rarely does everything go according to plan and sometimes troubleshooting is required to continue the tests (e.g. VPN access, temporary account lockouts).
• Test Internal Responses: Some customers test their internal IT security departments to see if they detect our activities and react to them within guidelines. We can provide source IP addresses and timestamp of activities for them to make these determinations.
• Abort activities: Although unlikely, in case there is an unforeseen disruption, we can be immediately reached to abort activities and help determine the root cause of a disruption.
• Ensure the timeline: Activities should be planned and performed in a condensed timeline so there are fewer “stopping points” waiting for answers (i.e., an out of office employee, someone on vacation, last minute sick day, etc.).
• Report in real-time: Critical findings can be shared instantly with the customer for immediate remediation.

After the Penetration Test

The after-action review is one of the most important parts of a penetration test. In this part of the engagement we cover the following:

• Review and discuss results: Reports containing all findings and recommendations are securely shared with the customer. Depending on the systems to be tested within scope (e.g., internal systems, external systems, wireless devices, web applications), the customer will be provided with thorough reports with invaluable information on the vulnerabilities such as the severity level, type, impact, and recommendations for remediation.
• Close out meeting: A presentation can be provided to demonstrate the methodology and results.
• Follow-up: Smaller customers that don’t have IT security departments sometimes request help to implement remediations. We can provide guidance on the implementation to improve overall security.
• Retest: After the customer remediates the identified vulnerabilities, a retest of the systems can be performed later to validate the effectiveness of the incorporated changes.

The above-mentioned key activities tend to reduce known issues caused by typical penetration tests. The effectiveness (or not) of penetration testing is related to the approach and expectation-setting between the security company and the customer.