3 Tips on How to Get the Most Out of a Penetration Test
We hope that this post helps you get the most out of your next penetration test.
1) Refine and Communicate the Purpose
Why are you doing the penetration test? Is it to meet a specific compliance requirement, or is it to test your security and determine risk. If it’s both, you’re likely going to have to prioritize one or the other.
Write out your primary goal, and then break it down into at least 3 sub-goals.
For example, if the primary reason you’re getting the pen test done is to place a check in the box for PCI compliance, you might as well determine some other goals to get maximum value out of the testing process. Some other goals you might want to communicate to the pen testing team could be:
- You have concerns about a specific application, server, or part of your network and want focused testing to alleviate these concerns
- You have concerns that your IT staff are not taking security seriously and would like to provide a wake up call
- You need to convince management of the need for more funding or focus on security
- You have concerns that an insider threat (employee) may have access to more information than required to perform their duties
- You want to validate that contractors are not introducing vulnerable devices or access to the network
Communicate your goals and purpose to the penetration test team. Determine exactly what you want to get out of the process. As pen testers, we want to give you exactly what you want and we can only do this if we know what you want. This communication can greatly enhance your satisfaction with the overall process.
2) Prepare Technical Staff and Management in Advance
Properly set the expectations of both management and technical staff members in advance.
Management needs to know:
- there is no such thing as “being secure”
- the pen testers are highly skilled and WILL find vulnerabilities that need to be addressed
- there will be follow-on work, such as vulnerability remediation and validation – short and long-term follow-on work
Technical staff needs to know:
- there is no such thing as “being secure”
- the pen testers are highly skilled and WILL find vulnerabilities that need to be addressed
- we’re very experienced and see a lot of networks, so we know the right ways, the wrong ways, and the better ways to do a lot of things
- we will be respectful and humble when presenting vulnerabilities
- we freely admit that we don’t know everything
- it is better to identify vulnerabilities via penetration testing and have the opportunity to fix them, than to be compromised by a real attacker
- we will not be subversive, or devious, nor will we attempt to embarrass or call out any particular individual
- our job is to be objective – we seek to identify risk
3) Define Your Desired Outcome
Determining what you want and need in the report is very important. Do you want something specific? Do you need certain portions of your network split up into separate appendices? Do you need a summary table of findings? Do you need findings mapped to security controls? Do you need multiple briefings to different audiences?
Request a copy of our report format and review it in advance. Don’t like something about the report, or want something else, no problem. Just let us know. We want to give you exactly what you want. This can also get back to our first point, if certain goals are known from the beginning, they can be addressed clearly in the report. This will help the pen test team give more focused advice on how to solve the issues related to your goals, which may differ from solving the vulnerabilities themselves.