Getting maximum value out of your Penetration Testing

Getting maximum value out of your Penetration Testing

Whether you are an experienced consumer of Penetration Testing services or new to the industry, it’s well worth re-evaluating the fundamentals occasionally.  That is my aim in this post where we look at people concerns, scoping approaches and some good practices to help conduct a test effectively and efficiently.

By Andrew Scott

Assurance Regional Lead, Scotland

06 May 2020

The right people

Experienced consultants will be able to demonstrate the necessary technical skill set and qualifications to carry out penetration tests for your organization.  They will also be adept at translating technical problems they identify into the potential business risks associated with these problems, and then to actionable steps for your business to mitigate and reduce these risks. A technical consultant doesn’t stand on their own either, and the team and processes supporting a tester are just as important.

Qualifications are the easiest way a penetration tester can demonstrate their skills.  Modern, high quality qualifications require a candidate to demonstrate both deep theoretical understanding of modern networks and systems, and a practical ability to test for vulnerabilities, compromise systems and document their findings.

An effective penetration tester builds up knowledge and experience over their career.  While being a penetration tester starts with a mind-set, the ability to apply this productively, consistently and in a risk managed way on your systems comes with experience.  A junior tester should be working under the supervision of a mentor for their first year of testing and consultants, team leads and principals will have increasing levels of experience.  All will be able to provide highly effective core services with increasing specializations and breadth of experience to be called upon. 

The wider operational and support teams behind the test ensure that your requirements line up to the right consultant with specific experience that applies to your test.   

Many testers have experience working as developers or system administrators.  This type of experience means they know what it’s like to be on the receiving end of a security test and can tailor their support to your needs.

Adopting the right methodology when conducting a test supports the skills and knowledge of the tester.   The methodology ensures that all areas of security are evaluated during a penetration test and it becomes a repeatable and rigorous process. This is vital if you are looking for a level of assurance about a system or systems, and enables a view of a whole enterprise to be built up and issues prioritized for addressing.

Finally, as the report is usually the only formal output from a penetration test, it must clearly explain the business threats identified to allow the level of risk to be determined. It should have sections that concisely explain the issues to executive or board members, a section that explains the vulnerabilities and business impacts to system owners, and enough detail to help the technical team understand, re-create and fix the problems. 

What are we testing and why?

The key to an effective penetration test is understanding and agreeing what the target and purpose of the test is.  The level of assurance you require and the skill of your potential adversaries can change the recommended approach to the test.

Your reasons for conducting a test will determine the approach you take. Testing for a regulatory requirement may have a well-defined set of parameters. However, testing to generally improve the security of the targeted system or overall network, or to address previously identified threats, requires more thought.  Make sure your requirements are clearly defined and communicated to the test team before the test so the results are meaningful and can be utilized effectively.

When planning your penetration test you will need to decide the level and depth of testing you want to conduct. How extensive or comprehensive do you want the test to be? Is it a high-risk system with multiple layers, with each layer needing its own assurance, or are you just looking for a single user-facing layer to be tested? Close consideration of what to test must be given to ensure you don’t end up testing too many (costly!) or too few (false sense of security) systems and reducing the value of the test.

Efficiently conduct the test

To maximize the value of your penetration test, you will want to provide enough detail about your target systems so the penetration testing team can quickly understand the environment and provide useful and accurate results. “White box” testing provides the tester with knowledge of the internal structure of the system so the penetration testing team can quickly familiarize itself and get straight to identifying security issues.

If you are aware of some of the existing vulnerabilities within a system, make sure to fix these or inform the testers before you start.  This way the team will not waste testing time on issues you already know exist. The test will also provide the opportunity to determine the effectiveness of your remediation of those issues.

Once the testing has begun there are a few key considerations during the test to make sure it is efficient and valuable.  Primary among these is a dedicated technical contact the testing team can work with to ensure that any problems are resolved quickly.  Whether it is a password re-set for a test user, diagnosing system access issues, or talking through a business process to ensure a thorough understanding; the main contact for a test must be available throughout and have the time, technical knowledge and business authority to resolve issues.

A secondary consideration is the stability of the system - not just in terms of whether it crashes a lot!  If the system under test is still being developed, or there are other users interacting with the same datasets as the testers, both teams will have difficulty working out who is causing which changes and this could lead to confusion on both sides.

Of equal importance to ensuring the stability of the system under test is agreeing the risk profile of the system.  There are different types of testing that are usually acceptable to conduct against live, development and UAT systems, or dependent on what else the system is being used for.  Agreeing which of these applies and what types of testing are OK, and when the testers should ask permission prior to taking particular actions, will help the test run smoothly and ensure the best results while also minimizing the risk of any disruptive or destructive activities.

Modernizing penetration testing – a continuous approach

It's important to consider your approach to your program of testing from a more broad perspective – in many instances time-limited, one-off tests may not offer you best value for money.

The value of what we call "Continuous Security Testing" reflects the benefits of Agile development and DevSecOps, integrating and automating testing processes and related security measures from the very beginning of the development cycle. Testing early and testing often results in better protection, quicker times to market and reduced costs.

Security by design is now the mantra for the technology industry - this goes hand in hand with early and continuous security testing. It is the only way to ensure the integrity of an application, product or system through its entire lifecycle – achieved by harnessing the best manual skills and automated tools to achieve security at pace.

What testing might you consider?

Customers often ask for advice on what types of testing they should look to conduct to ensure the safety and security of their enterprise. Although the answer to this question is dependent on the organization asking and their specific needs, a rough outline for an average corporate might be:

  1. Infrastructure, especially anything facing the Internet. This is the basis of all systems however they are abstracted, protected, translated, containerized or hosted, and if you are building on shaky foundations you can never be secure.
  2. Cloud, integration, build pipelines. If your organization has embraced agile working then both the security of your pipeline processes and the resulting systems are the key building blocks of your value chain. The business needs assurance that they are well protected from external threats, but also internal attackers or just accidents.
  3. Web applications. They are often how your customers interact with you and have business value, are likely to be targeted by an attacker, and have extreme reputational value. These are often the crown jewels of an organization.
  4. Mobile. Much like web applications, increasingly customers expect to be able to interact with an organization via a secure mobile application, and these therefore become focal points for business and reputation. Ensuring that they stay secure means testing the applications users interact with, and the end points the applications call on.
  5. Build & configuration reviews. These are a type of testing that is starting to move towards auditing against best practice using full administrative access to a system, rather than trying to discover vulnerabilities from the outside. It’s an important technique for when the next level of security is needed. This type of testing is often used on key systems such as Active Directory Domain Controllers, database servers or web servers hosting transactional services.
  6. Whole organization security – This could be any one of Red teaming, Active Directory Attack Resistance testing, scenario testing etc. Its main aim is to stop thinking about individual systems and look at your whole organization like an attacker would.

Bringing it all together

Once you have considered all of the above points when planning your test - perhaps one of the most important, but often not planned for activities when it comes to penetration testing is the remediation of issues found.

The report from a penetration test should clearly explain the findings so the level of risk can be determined. It should also contain sections dedicated to helping the technical team understand, re-create and fix the identified problems. You should ensure you build time into your project to fix issues identified and to re-test them to ensure the effectiveness of the fixes. This will also verify that no new problems were introduced by the fixes.

As a CREST approved organization, Context is trusted to carry out Penetration Tests by both multinational bluechip companies and government bodies. If you'd like to discuss your Penetration Testing needs with us, get in touch today.

Subscribe for more Research like this

About Andrew Scott

Assurance Regional Lead, Scotland

Andrew is our Assurance Regional Lead for the Scotland region. See the contact page for ways to get in touch. 

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor