Effective Pen Tests Follow These 7 Steps
Third-party pen tests are part of every comprehensive security plan. Here's how to get the most from this mandatory investment.
May 14, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2cbc1911bf0b2b4c/64f0d4a52087df8d58110170/Image_1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
There's little debate about whether penetration tests should be part of a comprehensive cybersecurity plan. It's critical that defensive systems be tested by real-world pros so vulnerabilities and weaknesses can be found and corrected.
Instead, the question is how to get the most from the investment.
In all but the rarest cases, a pen test means having a third party explore the strength of an organization's security. Many of the keys to effectiveness have been repeated as business wisdom so often they've become cliché: Know what you want, know the group you're hiring, communicate clearly, write it down, and have a plan for what you'll do with the results.
[Hear John Sawyer, director of red team services at IOActive, present Getting the Most Out of Penetration Testing and Red Teaming at Interop 2019 next week]
With each of these points, and the others on this list, factors specific to third-party pen tests need to be considered. This list, cherry-picked from conversations, conference panels, Internet articles, and personal experience, include the basics about what an organization needs to think through before launching a third-party pen test. What other factors should be on this list? Let us know in the Comments section, below.
(Image: putilov_denis VIA Adobe Stock)
When an organization is getting ready to pay for an outside group to come in for a penetration test, executives might be tempted to answer the question, "What do we want them to test?" with a simple, "Everything, of course!" Giving in to that temptation, though, can be a grave mistake.
Penetration tests should be seen as targeted exercises. That target can, of course, be large: A pen test focusing on the network perimeter, for example, could cover a lot of cyber territory. But that territory wouldn't include the organization's application servers. In order to get the most from a third-party pen test, it's important to start with a clear idea of what you want the pen test to tell you.
Among the questions to ask yourself: Why are you performing the pen test? Is it to answer questions about your security? Is it to check a box for regulators, auditors, or insurance underwriters? Are you trying to find out what went wrong in the most recent breach of your security perimeter? Each of these will have its own set of parameters and processes. And each will return its own set of data and conclusions.
It's critical that you have a clear understanding of the pen test's purpose and that you express that purpose to the pen testers clearly. Make sure they understand what you've told them and that the scope of the test is agreed to by both sides. Once the understanding is reached, put it into writing.
After all the test parameters have been agreed to, how will the pen-testing group put those parameters into practice? How will they do what they say they'll do? The hands-on analysts and engineers defending the network will be kept in the dark, but those paying for the test and using the results should have a very clear and precise idea of what is about to happen.
There are several reasons for insisting on these details, but several stand out: First, management will want to know so they can be prepared for the warnings that (should) come their way from the defense team during the test. Next, seeing test details will help reassure you that the pen-testing team actually heard you and understands how to put your testing needs into action.
There's a third reason for those test details: They could be crucial for figuring things out whether an actual attack occurs at the same time a pen test is underway. It's a low-probability occurrence, but should it happen, recognizing that malicious action that's well outside the parameters of the test can allow for more rapid response and more complete remediation.
It's one thing to get a final report on the results of a pen test. It's quite another to be able to see the attack (and response) in real time and then play back the critical points in a post-mortem of the results. All of these additional information sources depend on a key factor: having monitoring capabilities and plans in place before the test begins.
In one sense, monitoring everything that happens during a pen test should be automatic, as part of the basic security infrastructure. But when you know that a particular set of events is on the way, monitoring can be established outside normal channels to enable full forensic analysis to take place more rapidly than might normally be the case.
Understanding where to place monitoring points should be part of the pen-test design, worked out in collaboration with the pen-test group. Proper monitoring will form a foundation for the post-test analysis and reporting to come.
It can be tempting to end pen-test plans with the test's conclusion. But resist because getting the most from a test means getting the most from the results and how they're presented to various stakeholders.
Much of the information for this plan should be in place from earlier decisions and procedures: All of the basics of what kind of data is needed, and for what purposes, should have been decided before the test began. What's left is deciding how that information will be presented to the security team and whether there's a plan to remediate immediately after the test or take a more studied path to any changes.
A plan for the presentations and discussions to take place will accompany the plan for delivering results to auditors, regulators, and insurers. Questions about whether the report should be in language suitable only for the security team, or whether conclusions should be couched in terms that other IT department staff or even nontechnical employees can understand, should be answered. Think "follow through" as part of the total test planning, and the results (whatever they may be) will be far more useful.
There's little debate about whether penetration tests should be part of a comprehensive cybersecurity plan. It's critical that defensive systems be tested by real-world pros so vulnerabilities and weaknesses can be found and corrected.
Instead, the question is how to get the most from the investment.
In all but the rarest cases, a pen test means having a third party explore the strength of an organization's security. Many of the keys to effectiveness have been repeated as business wisdom so often they've become cliché: Know what you want, know the group you're hiring, communicate clearly, write it down, and have a plan for what you'll do with the results.
[Hear John Sawyer, director of red team services at IOActive, present Getting the Most Out of Penetration Testing and Red Teaming at Interop 2019 next week]
With each of these points, and the others on this list, factors specific to third-party pen tests need to be considered. This list, cherry-picked from conversations, conference panels, Internet articles, and personal experience, include the basics about what an organization needs to think through before launching a third-party pen test. What other factors should be on this list? Let us know in the Comments section, below.
(Image: putilov_denis VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024