Performing regular penetration tests is an easy decision. They represent a key piece of your overall security strategy. But getting the most from your next penetration test can be more challenging as you sort through multiple questions. How do you choose the best penetration test vendor? How do you decide what to test? Why do quotes from different vendors vary so much?
All these key topics came up during Pratum’s latest Cybersecurity in 60 webinar. Pratum Senior Penetration Tester Jason Moulder and Troy University CTO Greg Price shared insights from the perspectives of a tester and a client on how to make the most of a penetration test. Here are the highlights of their conversation. To view the entire webinar, click here.
Q:
What should everyone know before they start a penetration test?
Jason:
First, make sure that you’re getting an actual penetration test and not just a vulnerability scan. (This infographic shows all the elements that go into a full penetration test.)
Second, do your homework on the penetration testing company you’re thinking of using. What kind of credentials do the actual testers have? How many years of experience do they have? What are people saying about them online? You should look for a long-term partnership, not just one-and-done things.
Greg:
It seems like someone calls me every day who is hanging out their shingle as a cybersecurity expert. I’m always dubious of those claims, especially if the organization appears overnight. So the maturity of the organization we’re going to work with is of enormous interest for me.
Q:
So what’s the difference between a vuln scan and a penetration test?
Greg:
A penetration test is predicated on a vuln scan. Any penetration testing professional has to know the lay of the landscape, which is where a vuln scan comes into play by knocking on the door, running various scans to see what’s forward facing for the Internet to take a peek at it.
The penetration test provides me greater insight into those vulnerabilities. It shows where gaps are not only from a technical perspective, but from a policy perspective. It provides a practical application of how my team is working, what’s going on with our resources.
Jason:
Keep in mind that a vuln scan is only programmed to find things that are known. (Click here for a full comparison of penetration tests and vuln scans.)
Q:
How do you set effective rules of engagement for the test?
Greg:
You can get stealthy with a penetration test or get loud and bang on the doors and hope somebody’s paying attention. If the rules are not laid out clearly, those doing the work can get too noisy and too rough and disrupt the environment, and that can be an absolute disaster.
We’ve used groups in the past that completely ignored the rules of engagement. If they found something, they would take it all the way down. That’s an awful experience for an organization of any size, but especially for us with a global operation and students engaged in various educational opportunities.
Jason:
That’s also an issue when it comes to automated tests like vuln scans. If the team isn’t coordinating with the client and saying what they’re going to be doing at a certain time, you can mess up all kinds of things such as rewriting databases, deleting things, and creating other unintended types of consequences.
Greg:
I don’t want a penetration test to turn into a test of my disaster recovery (DR) plan.
Q:
How do you set the proper scope for a penetration test?
Jason:
We identify components that would seriously affect you and everybody connected to you if they got compromised. I try to work with clients to keep the cost manageable while giving you what you actually need. We’ll guide you on what we see with other clients in the same industry, threat intelligence we’re getting and other things.
Greg:
As the customer, I should have some idea of where my weaknesses are, what I want to build on, where I want to strengthen the environment. If you’re not focused and looking at what’s vital to your organization, you could waste a lot of money just wandering around the edges and poking at things that are trivial. Also, be sure that you know how cloud and third-party components are managed before starting a penetration test.
So when you walk into a penetration test scoping call, you have to know what’s of great value and what needs to be protected from a corporate strategy perspective, a regulatory need, or a compliance need.
Take a good look at your DR plan. What are you looking at reconstituting if you have an enormous failure of your primary data operations? That’s probably the template for what you want to put in front of someone to do a penetration test against.
Q:
How often should you do a penetration test?
Jason:
If you have some underlying regulation that says you have to do at least two penetration tests a year, then you can’t really bypass that. But on average, if you don’t have anything really pushing you to do this more often, you should do a full penetration test at least once a year on your entire environment: external, internal, wireless.
Greg:
If you have experienced some massive shift in the infrastructure, introduced some product, exchanged some hardware, or done something else sizable, then it’s time to have someone come in and go after it and make sure it’s living up to expectations from a security perspective.
Q:
Should you tell your IT team when a penetration test is going on?
Greg:
I don’t tell anybody within my organization. I want it to be a test of our controls and tools, but I also want to see that the team reacts appropriately and that the various mechanisms we have in place for mitigation and triage are also functioning.
Jason:
I would rather see a team doing what they’re supposed to be doing. If it gets up to the CTO’s level, he can stop it there rather than going into the IR plan. We may purposefully fire off some real heavy stuff to see if we get shut down.
Q:
What’s your advice for organizations early in their security journey who might be choosing between things like a penetration test and risk assessment?
Jason:
First, make sure you’ve prepared by getting controls in place, mitigating vulnerabilities and patching software before you do a penetration test. Then you can engage a vendor to come in and do an audit or a risk assessment. When you get that report on paper, then the penetration test is there to quantify that.
Greg:
You don’t want to roll right out of the gate with having just turned on some new things and hired a couple of folks to work security and then bring in a penetration test group to examine what’s going on. That’s not going to be a good engagement for anybody. Use the penetration test as an opportunity for improvement. For me, it’s definitely a verification and validating tool.
Q:
The final report from a penetration test can be overwhelming. How do you react to findings and not take it defensively?
Jason:
We’re not trying to say you’re doing a bad job. We’re showing where you need to invest in training or shore things up. We hope that part of our result is to create a driving factor that shows your boss you need to reinvest into your overall scheme and hone the team’s skills a little more.
Greg:
I like to use the final report as a team-building exercise. We focus on the end goal of being better after we complete the exercise. If we got a report that proclaimed that we had absolutely nothing going on and everything was perfect, I would be skeptical.
Jason:
Some of the low-risk or informational findings could be the segue into a bigger finding when you chain that stuff together, and we identify that during the engagement.
Greg:
That shows the importance of people who have experience and actual experts to conduct these tests. Without that knowledge of the penetration tester to assemble those things, you may think it’s no big deal. But when it’s brought into context by people who have a lot of experience, that’s where the value really comes out in these types of examinations.
Q:
Prices on penetration tests diverge widely. What are key things to look at when comparing quotes?
Greg:
I typically look at the penetration testing team’s experience and their approach. We also review whether the tools they use are inhouse or open source or commercial.
Jason:
Take a hard look at why a lower price is lower. Sometimes we come in a lot lower than competitors because we cut out a bunch of stuff that you said you wanted, but doesn’t make sense for your objective. We want to focus in on your overall objectives and goals and why you need this penetration test to begin with. We don’t have to test everything in the environment. It's not cost-effective.
To talk with Pratum’s team about how can get the most value from your next penetration test, contact us today.
