We preach it all the time here at RedTeam: your organization's security is an ongoing effort. The status quo is only good enough until the next big data breach or malware outbreak, as we've seen demonstrated all too well this month in particular.
Penetration testing is our answer to the need for ongoing, deliberate evolution of your security protocols. It's a regular, coordinated approach to testing your business' defenses in order to identify and fix vulnerabilities.
Though it sounds complex, preparing for a pen test with a consultant like RedTeam is neither difficult nor time-consuming. Knowing what to expect and doing a bit of advance prep can help the process go smoothly for everyone involved.
Look at any roundup of statistics capturing the current state of cyber threats today, and the need for penetration testing is obvious.
Consider, for instance, these recent numerical nuggets from Symantec's August 2017 monthly threat report:
Penetration testing can address application, networks, devices, and physical security in one fell swoop.
For each focus area, the objective of a thorough penetration test is to:
So that's what goes into a penetration test. Now what needs to be done on your end to prepare for it?
After signing on for penetration testing, you might be apprehensive about all that the test involves, fearing network outages or the length of any inconvenience to the business' systems. Rightfully so—time is money, so every minute lost to downtime matters.
Here are some tips to prepare for what's coming with a penetration test on the horizon.
Planning for a penetration test requires that you have technical points of contact available to us before, during, and after the testing. Identify who in your organization holds these responsibilities and who will be the internal point person on call throughout the process.
Next—and this sounds like a given, but you'd be surprised—inform the appropriate parties about the upcoming testing. You don't have to shout it from the rooftops (nor should you), but key IT personnel should be in the loop.
If your IT team is unaware that a penetration test is going on, they may believe something is going wrong and start sounding the alarm bells. They may begin incident response procedures that make testing more difficult. Plus, if an unannounced test causes difficulties, the right people may not be available to help with crashed remote equipment or restore a database. This is a worst-case scenario, but it's worth considering.
An enterprise's time commitment is typically not very high before or during pen testing. However, the time required after the testing is complete is perhaps the most important commitment on your end. How much time that will be depends on the findings and the level of remediation needed.
Plan ahead to allocate the time and resources to address any issues that are found. The business will need to not only summarize any issues or risks from the report for upper management but also propose a time frame for corrections and fixes. Prioritizing the recommendations with an eye to threat level, procedures, and resources may take time, but the net result is improved security and heightened security awareness.
Fully understand the environment where the testing will take place to ensure your testers have full permission to test. A corporate CIRT team may need to alert ISP and law enforcement authorities upon evidence of a pen test, so have a streamlined incident response plan in place for alerting the right people if needed.
Your organization may also want to consider in advance if it makes sense for the testing to take place at a lower-level environment than in production. At the same time, it's important not to scope the pen test engagement incorrectly. Too often, out of concern for availability or reliability of production systems, a penetration test will be more akin to a vulnerability scan. Limiting the scope of a penetration test to carve out the most important or vulnerable systems, or limiting vectors of attack, does the organization a disservice.
Penetration testing is production safe and should not create an availability issue. Yet, we can't guarantee there won't be any glitches on the network or application side. After all, testing could exacerbate existing issues with an application or network.
You'll want people available and empowered to collaborate with testers in the event of any negative impacts so the issue can be addressed and remediated as soon as possible.
We love that saying, don't you?
Stepping up your security just before a penetration test begins isn't a sustainable approach. For the testing to be effective, your consultants need an accurate representation of the true state of your environment—not one that's been given a quick-fix spruce-up a few days prior.
Nevertheless, if you're looking for some quick wins, it does pay to tackle some of the more commonly identified issues:
Before any testing begins, it's also a good idea to make sure you have an up-to-date and tested backup of key systems and data. Keep this most current backup accessible, rather than taking it to its usual offsite, secure storage. This precaution can save time in the event of a situation requiring backup media.
RedTeam Security can customize its pen testing approach to your organization's needs. After we've identified application, network, system, device, or physical security flaws, we'll share suggestions to help you improve your security posture.
Your RedTeam consultants will not only produce findings in written reports but also provide your team with the guidance necessary to effectively remediate any issues uncovered.
Ready to get started? Just set up a call at a time that works for you.