This brings us to the second most important question of the day: “What is the right kind of penetration test for your organisation?”
If penetration testing is something that is mandated in your industry, you may be tempted to find the lowest cost automated penetration testing service available so that in a few days’ time you’ll have a branded report on your desk and be finished. But there are a few considerations to think about before going this route:
1. If you are already going to allocate funds to do a penetration test, and since it is already mandated that you have one done, then whey not leverage the situation to gain the benefits of a more comprehensive and personalised test?
2. If you go with a light weight online penetration test service and then get compromised later down the road, will you be able to rationally defend your selection of penetration testing service, and the associated narrow scope of coverage? Ultimately, if we care about the security of our people and our data, it is the real world threat that counts the most.
While compliance requirements may be a necessary evil, they do not equate to a necessarily secure environment. So much effort is spent meeting compliance requirements that sometimes actual operational security isn’t assessed adequately. It is easy to forget the reasons for having security in the first place when we are running around just trying to validate compliance, instead of analysing real world threats and risks that are the ones that lead to eventual compromise. This is called “doing the job right instead of doing the right job.”
What do I need to look for in a Penetration Testing Service Provider?
So, let’s assume we want as real-world a penetration test as our budget allows. What are some of the things to look for from a penetration test service company during the selection and agreement phases? Here are some suggestions gained from experience:
Hire the right talent . Ultimately, you are hiring a team of people with experience, skills, and tools to do the job right. Penetration testing is an inherently high-risk endeavor. Things break, stuff goes wrong, alarms go off (hopefully) and that is the whole point. Make sure the team you are hiring is experienced and ask them detailed questions about how they come up with a test plan, rules of engagement, and the final reporting content. If an in-experienced penetration tester is hired, you’ll have just as many alarms go off, but you may not have any positive test results to show for their efforts. The last thing you want after a penetration test is no actionable results that come out of it. This is not the time to feel good about your security after a pen test doesn’t uncover weaknesses on your network!
Pay attention to scope. This is one of the trickiest parts of any penetration test, and the right team will be the one that helps you both determine what should be scoped into the target environment and what should be scoped out. Before the test begins, there should be clearly defined IP address ranges, external URLs and IP addresses, and applications both internal and external that are defined. Other scope considerations include the degree to which social engineering is acceptable and if there are any off-limits people that should not be targeted. Similarly, physical access to everything from buildings to bins should be defined at the outset. By limiting scope, you effectively focus more effort on those areas of you organization you want to be tested. And you also prevent unacceptable actions from being taken against resources that are deemed off-limits. Often over-looked, scope should also be prioritized as much as possible so that the test team spends focused time on high value assets, etc. You want to strike a balance between too broad and too narrow a scope, based in part on your budget. If it is defined too broadly, efforts will not be focused properly in the allotted time. If it is too narrow, however, the testers may not be given enough lateral flexibility to explore alternate paths towards real-world exploitation.
Blackbox vs. Whitebox. There are advantages and disadvantages to both.
A Whitebox test (in which the attacker is pre-loaded with information or network access going into the engagement that would be difficult to obtain on their own) has two advantages:
Less time and money is spent on the discovery, reconnaissance and enumeration portions of the test, leaving more time and money to be spent on breaking applications, network devices, people, etc.
The threat posed by insiders is often underestimated by organizations that entrust them to physical and logical access to IT resources. By its very nature, whitebox testing allows the attacker to be one step closer to the internal environment and may help uncover vulnerabilities in internal applications that a blackbox test might not.
· The advantages of a blackbox test (in which only a small amount of an organisation’s information is provided, or only that which is uncovered via Internet searches and making phone calls into the organisation) include:
1. It provides the best ‘real-world’ perspective of the organisation from an external attacker’s perspective
2. It naturally forces the attacker to spend time uncovering information on the organisation that is public or able to be social engineered out of employees or partners. By analysing the results of this process, an organisation will learn a tremendous amount about how an attacker can gain a foothold in the organisation starting from scratch, and then be able to take steps to mitigate or resolve those vulnerabilities.
Goals and Objectives. By establishing what the overall goals of the test are going in, you will allow the test team to produce a report that caters to those goals and addresses them. If there is a particular hot button you want to make sure is addressed, be sure to include it outright in the goals. Understand that not all of the goals may be met during the test, and in some cases this may be a good thing! (e.g. test the ability to access the development environment from the production network and attempt to access source code or other intellectual property)
Recommendations. Before choosing a test team, be sure to discuss whether or not, and to what extent, recommendations will be made in the report. Don’t assume that a pen test report will include detailed recommendations about how to mitigate or resolve every finding. Ask for a sanitised example of a report and review the recommendations. Are they written in a way that is actionable by your staff after the engagement? Avoid recommendation examples that read like this: “We recommend that your firewall is configured using industry best practices using the concept of least privilege”. That’s simply too high-level to be of value and won’t help your firewall admin know what needs to be changed on the firewall from how it is already configured.
Schedule the events properly. Work with the test team to determine when certain systems should be tested. You might not want your online payment system to be tested during peak purchase hours, for example. Conversely, you definitely DO want the test team to run a sniffer on the network during normal business hours. The test team should be able to guide the conversation to account for any scheduling considerations before the test begins. If this doesn’t happen, or if the question never even gets asked, it’s a sign you may be headed for a painful experience.
While not exhaustive by any means, those are some good things to keep in mind when selecting and coordinating with a testing partner. One last suggestion: trust your gut. You are about to hire a team of experts to thwart your security, access your systems via atypical means, and undercover and expose these vulnerabilities in a consolidated report. Make no mistake; you are inviting a third party to penetrate deep into your organization. That is both the primary value of a pen test, as well as a red herring to trust your gut instincts. If you find yourself not trusting either the integrity or the capability of a test team, walk away.
The Take Away
At the end of the day when it comes to your data, your networks, your business and your people, one thing matters most: real-world security. The value you gain from a penetration test is largely dependent on your choices in who you trust as a partner, what degree of freedom you entrust them to operate within, and how they cater their reporting to your organization’s needs. Getting a penetration test is a bit like going to get an MRI: It’s never something you want to do, and you hope the results come back negative, but you do it because you want peace of mind and you want to know what things look like in the real-world.
If you would like to talk about Security and Penetration testing Nationwide then please give Q2Q a call on 01524 581 690 and we will be happy to help.