7 Ways to Get the Most Out of a Penetration Test
You'll get the best results when you’re clear on what you want to accomplish from a pen test.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltdb9e879c81fc7516/64f0d3cb63eca06f62521954/Slide1CoverArt.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Here's what you don't want from a pen test: A 600-page report packed with detail that overwhelms everyone in your organization.
Andrew Hay, chief operating officer at Lares, a security consultancy, says he's seen too many times where pen testers overload their customers with so much information that they don't wind up doing anything with the results.
"Too often people receive that 600-page report and it looks like a vulnerability scan; they don't know what to do with it," says Quentin Rhoads, director of professional services at Critical Start.
Hay and Rhoads say the best pen tests are targeted. So start with a scoping interview where you identify what you want to get out of the pen test. If you don't get pen tests every year, it's unrealistic to think you'll be able to fix everything in your network from just one test.
Here are seven tips that Hay, Rhoads, and Rapid7’s Tod Beardsley offer up to companies looking get their money's worth out of a penetration test.
Hay, whose firm offers pen testing services, says companies need to be very clear what they want from their third-party penetration tester. It doesn't make any sense for the company to have all its systems, servers, and applications tested. It's better to tell the pen tester to run a test on two or three specific external IP addresses, and then focus on the most important Web app. For example, a healthcare company might want to focus on medical data. And banks will want to key in on financial data.
Quentin Rhoads, director of professional services at Critical Start, adds that companies need to identify the scope: how many servers to test and the number of Web apps. Armed with that information, the pen tester can offer a realistic price and set goals they can meet.
A pen tester can inundate you with technical detail, but it's of little use when the reality is that the people who spend money on security products and services are typically not very technical, says Hay. A report should specify the infected files that will disrupt the business if they are not remediated, what the company stands to lose, and the tools and costs of the tools needed to fix the problem. Business managers also want to know if policy changes can fix the issue.
Speaking of policies, Tod Beardsley, director of research at Rapid7, adds that companies may need to change the way they assign administrative passwords. Companies may also need to educate their staffs on how to use password managers. While they offer a single point of failure, they are generally reliable and secure, he says. Other policy changes may include insisting that people who work from home only use company-issued devices.
It's really helpful for companies to find out from their pen test what they are doing correctly security-wise, says Critical Start's Rhoads. For example, the test could provide insight that shows the endpoint management software they deployed has been working well, that their security operations center is solid, and the employee education program they started last year has been successful. Finding out what's working helps companies prioritize. The business managers really appreciate it because they now know what kind of security investments to make.
In most circumstances, security and operations people don't know how many lines of code go into an app, so that's why it's important to get the developers involved. For pen testing purposes, the testers may need the source code so they can more effectively evaluate the application. That's much more time-consuming and will add to the cost of the project. By getting the developers involved, Hay says companies can run more effective pen tests on applications, which will long-term reduce costs and keep their applications more secure.
Most companies will only require a full pen test once a year. However, Rhoads says there are some companies that are so massive that each department or organization will need to rotate quarterly. From a vertical industry perspective, it's fine for oil and gas companies and municipalities to do an annual pen test, but code shops with multiple developers really need to run code reviews quarterly. The risk is that security vulnerabilities change so frequently in code that the applications will fall victim to exploits.
While the business people are concerned with top-level costs and risks, the technical people really need to understand what's wrong. The pen tester must thoroughly document and prove why and where a vulnerability exists. They have to show the customer how they hacked through the system so the customer can fix the problem. They also need to set an action plan so that over time, it gets harder and harder for the pen tester to hack through the customer's systems.
"When I started with a few clients, we easily breached them," says Critical Start's Rhoads. "But over time we closed up a lot of issues by putting good security principles into practice."
Rapid7's Beardsley says while companies may need pen testers to validate that they need to replace some 60 Windows XP machines, pen testers really earn their money when they go beyond the obvious. Sure, it can help the security team to have a third-party validate to management that those Windows XP machines need replacing, but what companies really need are pen testers who can hack through the business app that the customer has been adding on to for the past 30 years. In a medical environment, for example, pen testers are good at hacking through a lot of the communications protocols that doctors and nurses run on all the small medical devices they use. These range from near-field communications, Bluetooth, and other proprietary low-grade bandwidth protocols. A medical testing device may seem innocuous, but it becomes a big deal if test information leaks out that someone has cancer, depression, or a rare blood disease.
Rapid7's Beardsley says while companies may need pen testers to validate that they need to replace some 60 Windows XP machines, pen testers really earn their money when they go beyond the obvious. Sure, it can help the security team to have a third-party validate to management that those Windows XP machines need replacing, but what companies really need are pen testers who can hack through the business app that the customer has been adding on to for the past 30 years. In a medical environment, for example, pen testers are good at hacking through a lot of the communications protocols that doctors and nurses run on all the small medical devices they use. These range from near-field communications, Bluetooth, and other proprietary low-grade bandwidth protocols. A medical testing device may seem innocuous, but it becomes a big deal if test information leaks out that someone has cancer, depression, or a rare blood disease.
Here's what you don't want from a pen test: A 600-page report packed with detail that overwhelms everyone in your organization.
Andrew Hay, chief operating officer at Lares, a security consultancy, says he's seen too many times where pen testers overload their customers with so much information that they don't wind up doing anything with the results.
"Too often people receive that 600-page report and it looks like a vulnerability scan; they don't know what to do with it," says Quentin Rhoads, director of professional services at Critical Start.
Hay and Rhoads say the best pen tests are targeted. So start with a scoping interview where you identify what you want to get out of the pen test. If you don't get pen tests every year, it's unrealistic to think you'll be able to fix everything in your network from just one test.
Here are seven tips that Hay, Rhoads, and Rapid7’s Tod Beardsley offer up to companies looking get their money's worth out of a penetration test.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024