Making the Most of a Penetration Test
The decision to hire a pentesting firm to assess your networks or applications is certainly an important one. Often, especially when getting an assessment for the first time, there can be a lot of questions and unknowns about what to expect and, perhaps more importantly, what to do with the findings in the final report. In this article, we’ll walk through a standard penetration test and discuss ways to help ensure that you get the greatest value you can from your investment.
What to Expect from the Process
For the purposes of this article, we’ll assume that you’ve already been through the scoping process and have contracted a firm to begin the assessment. For most organizations, this is where the mystery begins. So, let’s start demystifying! No matter what exactly is being tested, the first step will almost always be reconnaissance or information gathering. In this crucial step of the process, the Security Engineers performing the assessment will learn as much as they can about the environment to better understand their potential attack vectors.
In the next phase, the search for low-hanging fruit begins which typically involves the use of automated tools designed to find such vulnerabilities. Depending on the test and the firm you hired, the search may stop here. At Lykosec, this stage is much more in-depth as we then manually search for less common and unique flaws. Next, the team will attempt to exploit any vulnerabilities discovered. This is a very important step as it is fundamentally what differentiates a Penetration Test from a Vulnerability Assessment. In a Vulnerability Assessment, discovered flaws will not be exploited and as such, you won’t get as clear of a security picture as you do when seeing exactly what impact exploitation could make. Next, depending on the type of test, Security Engineers attempt to find methods of maintaining persistence (meaning some kind of long-term access to an application or network that was exploited). Lastly, again depending on the environment being tested, the team will clean up and cover their tracks and begin working on the final report which details the findings of the test.
An important note here, in most types of assessments, the team performing the test will contact you in the event that critical vulnerabilities were found. Make sure that the company you hire assures you that they will do this so that it can be remediated as soon as possible. The last thing you want is a malicious hacker to find the same vulnerability!
Understanding the Penetration Testing Report
This is one area where different security firms can vary widely in their approach. A good firm will provide a non-technical overview of the findings, in addition to technical details, to help you understand the potential business impacts in a more palatable way. In any case, the report should contain at least the following sections:
Executive Summary - This is the aforementioned high-level overview that will give you a basic picture of the findings of the test.
Project Scope - Sort of a continuation of the summary, this section should detail what exactly was tested including names of applications, URLs, network addresses, and any other relevant scoping information. Importantly, this section will commonly list any assets that were explicitly excluded from the scope.
Vulnerability Summary - Ideally, the report will contain a simple overview of what vulnerabilities were found before moving into the in-depth technical details. This section should also detail how the flaws were found so that they can be reproduced by those responsible for fixing them.
Remediation Steps - This is arguably the most important component of the entire report. After all, the purpose of the test was to find security flaws so that they can be fixed. This section should detail how to do that for each vulnerability found.
Essentially, a good report will be readable by both non-technical staff and executives and also contain plenty of technical detail for those that do need it.
Increasing the Value of the Assessment
While the final report offers most of the value in itself, a proactive security team can increase the value further by using it as a launching point for further analysis of their security posture. Remediating vulnerabilities is of course priority one, but understanding how the vulnerabilities came about in the first place can do a lot of good too. Think of it this way; every vulnerability found points to a weakness somewhere in the process of development and/or administration. Were the vulnerabilities the result of common insecure coding practices? Look into the devops process and ensure that security is integrated from the start. Perhaps sensitive information was found exposed where it shouldn’t be? Ensure that your internal policies implement safeguards against simple mistakes and forgetfulness, such as using the principle of least privilege. By taking the time to review how the vulnerabilities came about, you can help ensure that they won’t happen again. The results will speak for themselves the next time you get an assessment.
Penetration tests, especially good ones, are an important investment and as with any other, it’s equally important to understand how to make the most of them. We hope that you’ve also found good value in this article! Interested in understanding your security posture? Our Security Engineers can provide you with top-quality penetration test reports that will help make your organization safer from the threats it faces every day. Contact Lykosec today to see how we can work together.