Getting the Most from Your Pen Tests - During and Afterwards

Facilitating the pen test

It is very important to understand that the objective of a pen test is not to discredit or diminish the work of your developers or internal IT Team, but to enhance your organisation’s security posture.  The results of your pen test will help your developers and IT Team carry out their roles more effectively.  As such, it is critical for pen testers to find as many vulnerabilities as possible in the limited time they have available so that you can fix the vulnerabilities before a threat actor can exploit them.  Actively blocking the tester’s activity or having active protection mechanisms such as web application firewalls (WAF) or intrusion prevention systems (IPS) blocking or slowing down the test will only reduce the value you gain from the pen test.  Supporting the pen test and providing an environment where the testers can test without interruptions will maximise the benefits for your organisation.  Ways in which you can facilitate the testing include:

• Whitelisting pen tester IP in WAFs/IPS systems
• Providing previous pen test reports where available
• Providing a test environment that is as close as possible to the production one, but where data can be added, deleted or modified without affecting actual users
  • Populated with data
  • With user accounts
  • All functionalities working correctly

• Ensuring a technical person is available to assist with any technical issues during the test and remove blockers for testing as soon as possible
• Avoiding the implementation of development work and major changes to the environment while being tested
• Ensuring relevant teams are aware of the pen test taking place to avoid actively blocking the tester during the assessment.

Feedback

It’s important for you to maintain an open communication channel between yourself and your pen tester to both provide and receive feedback throughout the assessment.  You should also ask your tester to provide immediate feedback if a critical vulnerability is discovered during the test, as this will allow you to fix it as soon as possible and eventually re-test the vulnerability during the same testing window.

You will need to provide feedback to testers if monitoring and alerting systems detect pen testing activity.  These can be taken into account when evaluating the overall security posture of the environment and can be included in the pen test report, together with other positive aspects identified during the test.  This will help you prioritise the remediation efforts.

Project closure

We would always recommend that you request a debrief call to review the main findings and ask questions if anything is not clear.  This will allow you to receive a professional opinion from the tester and obtain a feel for the overall security posture of the asset being tested.

Remediation activities

If you’ve followed all the steps we have outlined so far (both here and in our previous blog), at this point you should have received a high-quality penetration test from a trusted and effective pen test provider.   The test will have covered the various threats your assets are exposed to, and will have assessed the risks to your organisation if a threat actor was to exploit the vulnerabilities identified during the assessment.  What you do with these results is extremely important and much will depend on the maturity of your organisation’s security, the resources available and processes you have in place.

In order to gain the most from your pen test, we recommend the following:

If you have a vulnerability management process:

• Feed it with results of your pen test and follow the steps defined by your organisation.
• Fine tune your vulnerability management process to close any gaps that your pen test has identified.  The test may, for example, have shown that your current vulnerability management process was not able to identify certain risks.  If that is the case, you need to evaluate ways of extending your vulnerability management process to be able to identify similar risks in the future.

If you don’t have a vulnerability management process:

• Consider implementing one that helps your organisation prioritise and reduce the risks in an effective manner and in the shortest possible period of time.
• Take responsibility for remediations to be implemented.  Regardless of what the pen test reports says, your systems are your responsibility and it’s your responsibility to align with your company policies and objectives, and reduce the risks accordingly.
  • Acknowledge risk ratings and priorities suggested by the pen test provider, but also apply your own knowledge of internal systems, business objectives and any compensating controls you have in place to implement the most effective risk mitigation strategy for you
  • In the same way, acknowledge recommended solutions offered by the pen test provider, but implement solutions that work best for you.

Retest

Once you have fixed the identified vulnerabilities, it is important to ensure that the solutions implemented effectively mitigate the risks.  Perform a retest as soon as possible, especially for those risks that are considered to be critical or high severity.

We at URM would also recommend performing a pen test after any major changes to your environment.  This can be a focused test to only test the parts of the system affected by the changes.

As pen tests are point-in-time assessments, it’s important to perform regular penetration tests as new vulnerabilities are discovered every day.  However, as pen tests can be expensive, a practical strategy can be to perform more frequent vulnerability assessments between less frequent (but still regular) pen tests.

‍