Oh, joy. It’s that time again to prepare for your organization’s annual penetration test. There is nothing you look forward to as much as having some outside experts come along and look for all the places your security isn’t up to snuff. If jubilation isn’t the feeling you experience when a pen test is pending, you might want to check out these pro tips our team compiled to help you get the most out of the experience–and the most for your money.
Why Should We Do Penetration Testing?
Let’s start with a brief refresher of the benefits of a penetration test in the first place. It’s the “why it’s good for you” part of your annual exam (sort of like the dental hygienist’s recurrent lecture on flossing).
The advantages of pen testing include:
- Determined, experienced testers who aim to discover vulnerabilities before the motivated hacker does so.
- A thorough pen test will identify vulnerabilities, attack path, and provide the necessary context to help you prioritize remediation efforts.
- The report also serves as an assessment of how well the organization is able to respond to an attacker.
And now, how to get the most out of your testing experience…
#1: Understand the Pen Test Parameters
Get actively involved from the outset to collaborate with your penetration testing team in determining what your goals are and how to prioritize your resources in improving your cybersecurity stance. Before testing begins you should know:
- High-value assets and associated targets
- Controls and capabilities you want to test
- Audience for report and what measures matter to them.
#2: Anticipate Likely Threats
You know your industry and, presumably, have been keeping up on cybersecurity threats particular to your type of business. Enumerating likely threats for the penetration testers can help to determine what they should try to do and how deeply. For example, your industry may be more susceptible to script kiddies, hacktivists, organized crime, or insider threats.
#3: Establish Realistic Expectations
With your understanding of objectives and threats, establish how much of your network can be tested and how deeply considering your budget and time. Keep in mind that motivated bad actors aren’t going to focus only on certain parts of your system, so you don’t really want your testers to be limited.
At the same time, you may not want to give them free rein. You want creativity, yes, but the security manager needs to be sure that testers understand clear boundaries (such as never to perform a denial of service attack on any production system).
#4: Provide Network Knowledge
The more information you can provide, clearly communicated, the less time penetration testers need to spend determining the true scope of your network and systems.
Another critical component of an effective pen test is having a clear point of contact who can be in constant communication with the testing team and ensure that security logs and alerts are addressed in a timely fashion.
#5: Learn What They’re Doing
Your efforts to understand the testers’ tools, techniques, and processes can help you to better define parameters and expectations. You need an understanding of what goes into the testing to be able to ask questions about methodology and policy or identify testing approaches that may be overlooked.
Also, you’ll be better able to turn the findings of the engagement into meaningful action with increased awareness of how the results were reached.
#6: Plan to Discover Flaws
Expecting a penetration test to prove your network, application or IoT devices are invulnerable is unrealistic. In fact, we often say there’s no such thing as being 100% secure.
Yet you likely can’t afford to find every vulnerability that could ever be found. Instead, plan on using the pen test to identify problem areas to help you define policy or procedures, get leadership buy-in, or justify budget expenditures.
#7: Stick with a Trusted Partner
Once you’ve found a penetration testing team that does the job you want done and done well, work with them consistently. Developing an ongoing relationship with a testing group can benefit your budget long-term as they will come back to each engagement with a deeper understanding of your culture, infrastructure, and support systems.
Whatever your reason for a penetration test — to meet compliance standards? test your security team’s capabilities? determine control efficacy? — you’ll want to partner with experts who will thoroughly prepare the engagement and keep you fully apprised of findings.
Know that with RedTeam Security Consulting, you get more than a single penetration test. Our experts provide you with a detailed report and discuss remediation and business priorities with you. We also offer ongoing access to our assistance and will test again to help you remediate our findings — for free. Contact us today to begin your consultation.