Best Practices Guide: Penetration Testing
Many companies still rely on penetrating testing when it comes to identifying and managing potential vulnerabilities. This usually means hiring a third-party IT engineer to wage a proxy attack on the company’s digital assets. They will try to exploit certain vulnerabilities in the system and then report their findings to the company’s IT leadership, so they can patch these flaws before a real attack occurs.
However, penetration testing often forces companies to focus on the most glaring vulnerabilities while less noticeable threats go unaddressed. Penetration testing remains a valuable part of the vulnerability management process, but companies should tailor their approach based on the latest trends in the cybersecurity industry. Use this guide to penetration testing to increase cybersecurity at every turn.
What is Penetration Testing?
Penetration testing, a.k.a. pen testing, is defined as a method of evaluating IT security by simulating an attack on computer systems, networks, or applications from external and internal threats.
Trusted individuals, or ethical hackers, usually from outside the organization, actively attempt to exploit vulnerabilities and gain access to system resources without damaging or disrupting an organization’s production services.
Cyberattacks are becoming more common and dangerous all the time. Companies do penetration testing to make sure they can patch these vulnerabilities before malicious hackers can wage a real attack. This reduces the chances of an actual cyber attack disrupting the company’s operations or leaking sensitive information to the public.
Penetration testing tools can help companies in various industries comply with the latest cyber security regulations, such as those outlined in New York’s Financial Services Cybersecurity Regulations (23 NYCRR 500), the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Office of the Comptroller of the Currency (OCC). Companies may submit records of their pen testing to the proper authorities during an audit.
Unlike other forms of IT security, penetration testing shows the company how feasible it would be for a malicious hacker to wage an attack on its assets. If the attack is easy to stage, many hackers will likely try to exploit this vulnerability.
Penetration Testing: Best Practices
Companies that conduct penetration testing should follow these four steps:
Planning and Preparation
The planning phase should include a formal agreement between the two parties that specifies the engagement team, the exact dates and times of the test, escalation path, and other arrangements.
Detection and Penetration
During the detection phase, the penetration tester tries to gain access to the company’s information assets. When a potential entry point is identified, attempts are made to verify the validity of vulnerabilities by exploiting them.
Post-Exploitation and Data Exfiltration
The tester must document all possible penetration paths, so the company can identify where access has been achieved and the impact on sensitive data, configuration settings, communication channels, and relationships with other devices that can be used to gain further access to the network.
Reporting, Clean Up, and Destruction of Artifacts
During the final phase, the company receives a security assessment report that contains detailed information on what vulnerabilities were found, samples of where they were found, what it means, and specifics on how to remediate the issues. The company should then follow up on these vulnerabilities by patching the system as quickly as possible.
When is Pen Testing Most Effective?
Pen testing is only effective when companies follow the steps mentioned above. The more detailed the report, the better the IT team can remediate these vulnerabilities. Companies should consider implementing the following best practices into their testing methodology:
Choosing What to Test
Companies should focus on testing a wide range of digital assets while prioritizing assets that contain sensitive information and those used to disrupt the company’s operations. External penetration testing refers to assets that are reachable from the internet, including cloud-based assets and downloadable apps and software programs. Companies are increasingly relying on these assets as more employees work from home.
Pen testers usually offer a range of services that can affect the scope of the test. Companies should tailor the scope based on which assets are the most vulnerable to attack. They should also include new types of cyberattacks in the report, including PBX & VOIP systems and social engineering attacks, as well as those that rely on human error.
Conducting the Test
Before the pen tester begins waging the attack, the organization must ensure that it will not disrupt daily operations. If the test could impede operations, it should be scheduled during off-times when most employees do not need access to these assets.
Following Up on the Test Report
Once the company has the penetration report, it may need help remediating all possible penetration paths. Companies should request a full debriefing from the pen tester, so they can collect as much information about the proxy attack as possible. Management should feel comfortable asking follow-up questions to make sure the organization can put this information to good use. Once the company remediates the flaw, they may need to schedule another pen test to ensure that the issue has been resolved.
NopSec provides an Executive Readout and Remediation Assistance as part of its penetration testing services. During this process, you can get clarification about critical and high-level vulnerabilities along with guidance on remediation. It might also be advisable to schedule a follow-up re-test at a later date to ensure that your vulnerability remediation efforts have been successful. NopSec also offers complimentary re-tests to validate remediation steps along with Positive Control Validation.
If you are new to penetration testing or looking to refresh your knowledge, download the full Best Practices Guide: Penetration Testing guide by NopSec to help you quickly understand the choices you have available.