We preach it all the time here at RedTeam: your organization’s security is an ongoing effort. The status quo is only good enough until the next big data breach or malware outbreak, as we’ve seen demonstrated all too well this month in particular.
Penetration testing is our answer to the need for ongoing, deliberate evolution of your security protocols. It’s a regular, coordinated approach to testing your business’ defenses in order to identify and fix vulnerabilities.
Though it sounds complex, preparing for a pen test with a consultant like RedTeam is neither difficult nor time consuming. Knowing what to expect and doing a bit of dvance prep can help the process go smoothly for everyone involved.
Why Penetration Testing
Look at any roundup of statistics capturing the current state of cyber threats today, and the need for penetration testing is obvious.
Consider, for instance, these recent numerical nuggets from Symantec’s August 2017 monthly threat report:
- August marked five months of elevated web attack activity.
- The email malware rate increased to one in 347 emails — the highest rate of activity since Dec 2016.
- The number of new malware variants decreased, dropping from 58.7 million to 54.2 million — but that’s still 50+ million variants.
- The global spam rate is the highest since March 2015 at 55.3 percent.
Penetration testing can address application, networks, devices, and physical security in one fell swoop.
- Web application penetration testing identifies exploitable vulnerabilities in applications before hackers are able to discover and exploit them.
- Network penetration testing reveals real-world opportunities for hackers to compromise networks, systems, hosts and network devices (ie: routers, switches).
- Physical penetration testing sets out to compromise physical barriers (ie: locks, sensors, cameras, mantraps) to access sensitive areas, just as a malicious insiders or bad actors might do.
- IoT/Device pen testing aims to identify and hardware or software level flaws such as insecure APIs or communication channels.
Need a hand identifying which areas are most important for your organization? Set up a call with us and we’ll be glad to walk you through it.
For each focus area, the objective of a thorough penetration test is to:
- Identify security flaws
- Understand the level of risk for an organization
- Help address and fix identified flaws
So that’s what goes into a penetration test. Now what needs to be done on your end to prepare for it?
Preparing for Penetration Testing
After signing on for penetration testing, you might be apprehensive about all that the test involves, fearing network outages or the length of any inconvenience to the business’ systems. Rightfully so—time is money, so every minute lost to downtime matters.
Here are some tips to prepare for what’s coming with a penetration test on the horizon.
Know Your Contacts
Planning for a penetration test requires that you have technical points of contact available to us before, during, and after the testing. Identify who in your organization holds these responsibilities and who will be the internal point person on call throughout the process.
Next—and this sounds like a given, but you’d be surprised—inform the appropriate parties about the upcoming testing. You don’t have to shout it from the rooftops (nor should you), but key IT personnel should be in the loop.
If your IT team is unaware that a penetration test is going on, they may believe something is going wrong and start sounding the alarm bells. They may begin incident response procedures that make testing more difficult. Plus, if an unannounced test causes difficulties, the right people may not be available to help with crashed remote equipment or restore a database. This is a worst-case scenario, but it’s worth considering.
Be Ready to React
An enterprise’s time commitment is typically not very high before or during pen testing. However, the time required after the testing is complete is perhaps the most important commitment on your end. How much time that will be depends on the findings and the level of remediation needed.
Plan ahead to allocate the time and resources to address any issues that are found. The business will need to not only summarize any issues or risks from the report for upper management but also propose a time frame for corrections and fixes. Prioritizing the recommendations with an eye to threat level, procedures, and resources may take time, but the net result is improved security and heightened security awareness.
Consider Your Environment
Fully understand the environment where the testing will take place to ensure your testers have full permission to test. A corporate CIRT team may need to alert ISP and law enforcement authorities upon evidence of a pen test, so have a streamlined incident response plan in place for alerting the right people if needed.
Your organization may also want to consider in advance if it makes sense for the testing to take place at a lower-level environment than in production. At the same time, it’s important not to scope the pen test engagement incorrectly. Too often, out of concern for availability or reliability of production systems, a penetration test will be more akin to a vulnerability scan. Limiting the scope of a penetration test to carve out the most important or vulnerable systems, or limiting vectors of attack, does the organization a disservice.
Prepare for Availability Issues
Penetration testing is production safe and should not create an availability issue. Yet, we can’t guarantee there won’t be any glitches on the network or application side. After all, testing could exacerbate existing issues with an application or network.
You’ll want people available and empowered to collaborate with testers in the event of any negative impacts so the issue can be addressed and remediated as soon as possible.
Don’t Put Lipstick on the Pig
We love that saying, don’t you?
Stepping up your security just before a penetration test begins isn’t a sustainable approach. For the testing to be effective, your consultants need an accurate representation of the true state of your environment—not one that’s been given a quick-fix spruce-up a few days prior.
Nevertheless, if you’re looking for some quick wins, it does pay to tackle some of the more commonly identified issues:
- Missing patches — Security patches should be applied soon after they are made available, before bad actors act to compromise your systems.
- Decommission forgotten systems — Scan your network and compare it against your system inventory to identify any long ignored, unsupported operating systems or unnecessary services.
- Test password strength — Save yourself the embarrassment of the pen testers finding weak and default password use.
- Restrict admin interfaces — Access control lists should be in place for web GUIs, video conferencing logins, application backdoors, FTP services, private APIs, remote control interfaces, telnet and SSH services. Limit connectivity to these high value targets.
- Validate input/output — The most common web application security weakness is the failure to properly validate input from the client or environment. Basically, don’t trust client data. There are too many ways to tamper with data (accidentally or intentionally).
Before any testing begins, it’s also a good idea to make sure you have an up-to-date and tested backup of key systems and data. Keep this most current backup accessible, rather than taking it to its usual offsite, secure storage. This precaution can save time in the event of a situation requiring backup media.
Penetration Testing with RedTeam
RedTeam Security can customize its pen testing approach to your organization’s needs. After we’ve identified application, network, system, device or physical security flaws, we’ll share suggestions to help you improve your security posture.
Your RedTeam consultants will not only produce findings in written reports, but also provide your team with the guidance necessary to effectively remediate any issues uncovered.
Ready to get started? Just set up a call at a time that works for you.