Oh, joy. It's that time again to prepare for your organization's annual penetration test. There is nothing you look forward to as much as having some outside experts come along and look for all the places your security isn't up to snuff. If jubilation isn't the feeling you experience when a pen test is pending, you might want to check out these pro tips our team compiled to help you get the most out of the experience-and the most for your money.
Let's start with a brief refresher of the benefits of a penetration test in the first place. It's the "why it's good for you" part of your annual exam (sort of like the dental hygienist's recurrent lecture on flossing).
The advantages of pen testing include:
Get actively involved from the outset to collaborate with your penetration testing team in determining what your goals are and how to prioritize your resources in improving your cybersecurity stance. Before testing begins you should know:
You know your industry and, presumably, have been keeping up on cybersecurity threats particular to your type of business. Enumerating likely threats for the penetration testers can help to determine what they should try to do and how deeply. For example, your industry may be more susceptible to script kiddies, hacktivists, organized crime, or insider threats.
With your understanding of objectives and threats, establish how much of your network can be tested and how deeply considering your budget and time. Keep in mind that motivated bad actors aren't going to focus only on certain parts of your system, so you don't really want your testers to be limited.
At the same time, you may not want to give them free rein. You want creativity, yes, but the security manager needs to be sure that testers understand clear boundaries (such as never to perform a denial of service attack on any production system).
The more information you can provide, clearly communicated, the less time penetration testers need to spend determining the true scope of your network and systems.
Another critical component of an effective pen test is having a clear point of contact who can be in constant communication with the testing team and ensure that security logs and alerts are addressed in a timely fashion.
Your efforts to understand the testers' tools, techniques, and processes can help you to better define parameters and expectations. You need an understanding of what goes into the testing to be able to ask questions about methodology and policy or identify testing approaches that may be overlooked.
Also, you'll be better able to turn the findings of the engagement into meaningful action with increased awareness of how the results were reached.
Expecting a penetration test to prove your network, application or IoT devices are invulnerable is unrealistic. In fact, we often say there's no such thing as being 100% secure.
Yet you likely can't afford to find every vulnerability that could ever be found. Instead, plan on using the pen test to identify problem areas to help you define policy or procedures, get leadership buy-in, or justify budget expenditures.
Once you've found a penetration testing team that does the job you want done and done well, work with them consistently. Developing an ongoing relationship with a testing group can benefit your budget long-term as they will come back to each engagement with a deeper understanding of your culture, infrastructure, and support systems.
Whatever your reason for a penetration test - to meet compliance standards? test your security team's capabilities? determine control efficacy? - you'll want to partner with experts who will thoroughly prepare the engagement and keep you fully apprised of findings.
Know that with RedTeam Security Consulting, you get more than a single penetration test. Our experts provide you with a detailed report and discuss remediation and business priorities with you. We also offer ongoing access to our assistance and will test again to help you remediate our findings - for free. Contact us today to begin your consultation.