Are you interested in conducting a penetration test to determine how secure your network and web applications are?
Is it worthwhile to test how well your firewall and password policies stand up to a simulated real-world hack?
The answer is a resounding yes. You won’t have sleepless nights knowing that your company’s data and systems are secure because you know zero-day vulnerabilities are being managed.
But what are the muddy, grey areas of penetration testing? If not managed well, penetration testing can equally leave your cybersecurity operations in an even dire situation, with thousands of dollars forked out for little value.
Here are 5 costly mistakes to avoid when executing a penetration test for the first time.
1. Without scope you won’t be able to prioritize risks
Before you undertake any form of penetration testing ask yourself the universal question: ‘why should we conduct a penetration test?’
Is it because it’s an annual evaluation? Or because you were recently hacked? If you were breached via an IP address, pen testers will immediately recognize your systems have poor patch management and you don’t have Two-Factor Authentication (2FA), so they can begin password spraying to test for vulnerabilities.
Understanding why you need a penetration test will help your security team focus on resolving specific problems.
You should also be aware of the security framework that your company intends to use. Do you want to comply with PCI? Do you want to follow the National Institute of Standards and Technology (NIST) or the Cybersecurity Framework?
It enables the security team to create a list of individual controls that they can test during a pen test. The result is a report that’s tailored to your organisation’s requirements.
If you don’t consider scope requirements, your organization will receive no benefit from a penetration test. Your goal should be to comprehend all of your company’s technologies as well as the attack surface and then zero in on the weak points.
2. Not backing up your data before a pen test
Penetration testing does have inherent risks. Pen testers will simulate real-world hackers by using automated tools, brute force attacks, and password spraying. Because it targets a network that’s typically in production, pen testing can cause your IT systems to shut down.
Some downtime should be expected, and transparent communication channels must be in place to ensure that assets are tested as thoroughly as they should be.
Also, if you’ve agreed to a penetration test, it’s standard practice to back up all the company’s files and data (if you haven’t already done so as part of your incident response).
But, if there’s a component of your system that can’t be shut down, you must notify your security team ahead of time.
For example, if there’s a hidden link to a remote office on your network that doesn’t have the best throughput, the pen tester will know not to use automated tools to send large amounts of traffic to that port. Business continuity is ensured using effective communication and timely backup procedures.
3. You must remediate vulnerabilities before the penetration test
It’s great that you’re looking to do security testing before, for instance, launching an application into production. But, you need to ensure the code used in that application is not half-baked.
If you hire pen testers to test your app and they find vulnerabilities to exploit, your excuse cannot be ‘that feature hasn’t been programmed correctly yet’. You’ve wasted money on that test.
To avoid wasting money, ensure that the code or program is as stable as possible by first running it through a vulnerability scan and doing your best to close any potential security gaps. Alternatively, if a functionality isn’t working properly, notify your pen testers ahead of time.
This is critical because if pen testers are not informed beforehand, they won’t know whether a functionality doesn’t work simply because it doesn’t work or because they are doing something wrong. Unnecessary troubleshooting consumes time.
4. You’re pen testing just to tick boxes
If you want to go through a penetration test simply to look like you’re doing something about your cybersecurity operations, you’re doing yourself and your company a disservice.
Internal corporate politics should not be a factor in your interactions with pen testers. Don’t make strange requests to your security team, such as “don’t hack that guy, that’s my manager” or “we’re a big company, so don’t go crazy with the testing.”
The entire purpose of a penetration test is to bypass security and see if any exploits can be caught.
Accept that the goal of pen testing is to determine whether or not your systems are indeed impenetrable. You also want pen testers to be able to come to you without fear of repercussions if something goes wrong.
Pen testers should be free to identify where your security begins to fail and where it’s actually working, and once they have identified a flaw, they can advise people on how to improve their security.
5. Insufficient Reporting
The report is much more important than the test because it’s all that you get at the end of the day.
You must receive a report which is suited to your needs. If you need a penetration test for NIST compliance, then the report must list of all individual controls required for NIST compliance.
Also, understand the distinction between a manual report and an automated report. Automated scanners often report on risk using technical jargon such as “happy birthday attack” or “golden poodle attack,” which may not mean anything and aren’t exploitable.
You’ll end up chasing a lot of vulnerabilities that don’t need to be fixed. Don’t get caught up in the terminology or jargon.
If you’re going into a penetration test, you and the third-party security team must both be in the right frame of mind.
Don’t assume you’re performing a pen test just because you have to. You’ve hired experts to help you identify network vulnerabilities and work with you to find solutions, making your web applications and network more secure.