When performed effectively, penetration testing can be a hugely valuable exercise for organisations and lead to substantial improvements in their security postures. By mimicking the approach of a real threat actor, testers can help you identify and remediate vulnerabilities in your organisation’s IT environment before a genuine attack occurs. However, organisations which conduct penetration testing to meet internal or external requirements (e.g., at the request of stakeholders, to meet the requirements of a particular standard, or in line with internal policy) often only see it as a means of fulfilling their obligations and fail to reap all the benefits these tests can provide.
Following on from our previous blog on How to Get the Most From Your Penetration Tests, where we outlined some steps you can take before tests are conducted to increase their value to your organisation, this blog will explore what you can do during and after the test to ensure you fully capitalise on your pen testing engagement.
During the Test
Facilitating the pen test
It is very important to understand that the objective of a pen test is not to discredit or diminish the work of your developers or internal IT Team, but to enhance your organisation’s security posture. The results of your pen test will help your developers and IT Team carry out their roles more effectively. As such, it is critical for pen testers to find as many vulnerabilities as possible in the limited time they have available so that you can fix the vulnerabilities before a threat actor can exploit them. Actively blocking the tester’s activity or having active protection mechanisms such as web application firewalls (WAF) or intrusion prevention systems (IPS) blocking or slowing down the test will only reduce the value you gain from the pen test. Supporting the pen test and providing an environment where the testers can test without interruptions will maximise the benefits for your organisation. Ways in which you can facilitate the testing include:
- Whitelisting pen tester IP in WAFs/IPS systems
- Providing previous pen test reports where available
- Providing a test environment that is as close as possible to the production one, but where data can be added, deleted or modified without affecting actual users
- Populated with data
- With user accounts
- All functionalities working correctly
- Ensuring a technical person is available to assist with any technical issues during the test and remove blockers for testing as soon as possible
- Avoiding the implementation of development work and major changes to the environment while being tested
- Ensuring relevant teams are aware of the pen test taking place to avoid actively blocking the tester during the assessment.
Feedback
It’s important for you to maintain an open communication channel between yourself and your pen tester to both provide and receive feedback throughout the assessment. You should also ask your tester to provide immediate feedback if a critical vulnerability is discovered during the test, as this will allow you to fix it as soon as possible and eventually re-test the vulnerability during the same testing window.
You will need to provide feedback to testers if monitoring and alerting systems detect pen testing activity. These can be taken into account when evaluating the overall security posture of the environment and can be included in the pen test report, together with other positive aspects identified during the test. This will help you prioritise the remediation efforts.
Following the Test
Project closure
We would always recommend that you request a debrief call to review the main findings and ask questions if anything is not clear. This will allow you to receive a professional opinion from the tester and obtain a feel for the overall security posture of the asset being tested.
Remediation activities
If you’ve followed all the steps we have outlined so far (both here and in our previous blog), at this point you should have received a high-quality penetration test from a trusted and effective pen test provider. The test will have covered the various threats your assets are exposed to, and will have assessed the risks to your organisation if a threat actor was to exploit the vulnerabilities identified during the assessment. What you do with these results is extremely important and much will depend on the maturity of your organisation’s security, the resources available and processes you have in place.
In order to gain the most from your pen test, we recommend the following:
If you have a vulnerability management process:
- Feed it with results of your pen test and follow the steps defined by your organisation.
- Fine tune your vulnerability management process to close any gaps that your pen test has identified. The test may, for example, have shown that your current vulnerability management process was not able to identify certain risks. If that is the case, you need to evaluate ways of extending your vulnerability management process to be able to identify similar risks in the future.
If you don’t have a vulnerability management process:
- Consider implementing one that helps your organisation prioritise and reduce the risks in an effective manner and in the shortest possible period of time.
- Take responsibility for remediations to be implemented. Regardless of what the pen test reports says, your systems are your responsibility and it’s your responsibility to align with your company policies and objectives, and reduce the risks accordingly.
- Acknowledge risk ratings and priorities suggested by the pen test provider, but also apply your own knowledge of internal systems, business objectives and any compensating controls you have in place to implement the most effective risk mitigation strategy for you
- In the same way, acknowledge recommended solutions offered by the pen test provider, but implement solutions that work best for you.
Retest
Once you have fixed the identified vulnerabilities, it is important to ensure that the solutions implemented effectively mitigate the risks. Perform a retest as soon as possible, especially for those risks that are considered to be critical or high severity.
We at URM would also recommend performing a pen test after any major changes to your environment. This can be a focused test to only test the parts of the system affected by the changes.
As pen tests are point-in-time assessments, it’s important to perform regular penetration tests as new vulnerabilities are discovered every day. However, as pen tests can be expensive, a practical strategy can be to perform more frequent vulnerability assessments between less frequent (but still regular) pen tests.
How URM can Help?
As a CREST and CREST OVS-accredited organisation, URM can offer a wide range of penetration testing services to help your organisation to meet any internal and external requirements for penetration testing whilst also tangibly improving your security posture. Our team of experienced and highly qualified cyber experts can offer pen testing services against all assets associated with your organisation, service or location. We can provide infrastructure and network penetration testing services to help you identify and remediate any vulnerabilities affecting your organisation’s environment. This can be either internal or external penetration testing, allowing you to establish the risk of both an external threat actor and someone internal to your organisation gaining unauthorised access. URM can also provide a number of other testing types, such as cloud penetration testing, vulnerability scanning, website and mobile application penetration testing, and cloud penetration testing. In addition to these more traditional types of penetration testing, we can also offer a specialised business-led testing approach. Here, the scope of the test is dictated by your organisation’s unique risks and issues, with URM’s tester working collaboratively with you to devise a testing scope that investigates any concerns or questions you may have about your security posture.
At URM, we understand that the goal of any CREST penetration testing is to not only identify the vulnerabilities in your environment, but also to fix these vulnerabilities and mitigate any risks affecting your organisation’s assets. As such, URM offers a free retest of any high and critical-risk vulnerabilities we identify, and will conduct this retest within 30 days of the original pen test.
URM is pleased to provide a FREE 30 minute consultation on penetration testing for any UK-based organisation.
If you are unsure, URM can perform CREST-accredited internal and external penetration testing against all IP addresses associated with your organisation, location, or service.
Designed to assess the architecture, design and configuration of web applications, our web application pen tests use industry standard methodologies to identify vulnerabilities.
URM’s blog discusses the testing, assessments, exercises and reviews you can conduct following a cyber security incident to strengthen your security posture.
URM’s blog discusses how to prevent and mitigate the damage done by ransomware attacks, and how penetration testing can help your organisation avoid them.
URM’s blog explores common pen testing mistakes & how to avoid them, and simple improvements you can immediately implement to enhance your security posture.