What to expect during your next penetration test
(Last updated on May 28, 2018)
For some businesses, vulnerability and penetration testing is a deeply-ingrained process that just works. However, for many others, this exercise is less known – arguably a mysterious, if not a downright scary aspect of running an information security program. After all, there is someone (internal or external to the business) whose main goal is to point out the flaws in your IT environment. To essentially call your baby ugly. Vulnerability and penetration testing may sound unpleasant, but a necessary exercise if you’re going to find the security flaws creating tangible business risks.
In many cases, the unknowns that accompany security testing can bring about undue stress, especially if you’ve never had such testing performed before. But it really doesn’t have to be that way. If expectations are properly set, it should be a straightforward and painless exercise that benefits everyone involved. So, what exactly can you do to prepare for an upcoming vulnerability and penetration test? What does it involve? What will happen along the way? Having performed hundreds of these exercises over the past decade and a half, I have found that it can be a simple and insightful exercise once you understand the process.
Vulnerability and penetration testing – what I often simply refer to as a security assessment – consists of four main phases:
Planning: I’ve heard it said that action without planning is the reason for every failure. That’s why this phase of your work is the most important one. You must ask yourself (and others involved in the security assessment process) what will be tested, when will it be tested, and how will it be tested. If you’re just starting out, you will likely look at all the big areas of your network environment including external network hosts and applications, internal network hosts/applications/databases, wireless networks, and even your users via email phishing. This is the phase where all parties get on the same page. Make sure that you understand what will take place and that the deliverables meet your expectations and needs.
Testing: During this phase the penetration tester will perform a reconnaissance of your network, enumerate your systems, and identify vulnerabilities. There is a heavy reliance on security testing tools such as vulnerability scanners, password crackers, and exploit frameworks. Without the right tools, it’s difficult to find all the flaws that matter in a relatively short period of time – no matter how good you are at your craft. Part of this work is automated, and part of it is not. The important thing is that the professional doing the work goes beyond basic vulnerability scans and digs further to analyze how vulnerabilities may be exploited, including the specific risks they create in the context of your network environment.
Reporting: Once the testing and analysis is complete, the specific findings will need to be documented. The results can’t just exist as vaporware. Nor should they be a simple PDF file exported from a vulnerability scanner. There needs to be context and insight provided by someone with security expertise. The report needs to be easy to read with tangible, common-sense recommendations. I have found that organizing the findings into their respective parts of the network (i.e. external systems, internal systems, users), and listing them based on specific priority (i.e. critical, high, or moderate) works well.
Follow-up: This is where other people – developers, system administrators, executive management, and even external vendors – will need to be involved. Unfortunately, many security assessment projects tend to stop just before the proper follow-up has been taken. I have delivered many reports over the years with findings that are still present two, three, or four years after the fact. Apathy is security’s greatest enemy and prevention is easier than repair so make sure that the proper follow-up is taken and the risks are being addressed.
Contrary to common belief and practice, a proper and in-depth security assessment is not just an exercise in vulnerability scanning, or looking at only part of your network. It’s a detailed and methodical process that takes a broad look at your overall environment. Depending on the vendor performing the test, your mileage may vary as people have their own ways of executing each of the phases. Still, the overall goal should be to find security flaws so that they can be addressed before those with ill intent exploit them.
If there are any core lessons to be learned from security assessments, they are:
- You cannot secure the things you don’t acknowledge. Vulnerability and penetration testing is the only way to find out where you’re weak.
- Vulnerability and penetration testing won’t uncover every possible security flaw on your network. That goes for the first test and for any subsequent tests.
- Testing must be performed periodically and consistently over time – at least once per year, every year.
Like exercise and healthy eating habits, security testing must be a part of your ongoing IT and security operations. It’s not going to solve all of your security challenges, but it will certainly improve your IT resilience over time. The important thing is to practice what I refer to as relentless incrementalism – small improvements in both your security testing initiatives as well as your overall security oversight, month after month, and year after year. This means focusing on the essentials, not getting derailed by the security flaws that don’t matter, and ensuring that security testing becomes part of your organization’s culture. When executed well, it works like any other core function in support of your business goals.