Whether this is your first time looking for a penetration test, or you’re just interested in a refresher on what you need to do on your end, here at Open Security, we have you covered. We want to do our best before, during, and after an engagement to make sure that you are getting the clearest picture of the current state of your organization or application that we can. Here are our tips for making sure you’re ready to engage our or any other penetration testing firm’s services in pursuit of your next cybersecurity review:
What is driving your testing need?
While this might often be a compliance forced need, knowing what you’re looking to get out of a top-quality test will drive the answers you’re looking for throughout your engagement. When dealing with compliance, your test needs are often very cut and dry. PCI, for instance, mandates a full penetration test of your network every year, with the possibility of excluding network segments via further segmentation testing. Additionally, you’ll often have types of vulnerability scans, down to the vendor, pre-described to you.
You should consider a very different scope for your test if your desire for a test comes from internal security goals or unaccepted business risks. These penetration tests should be centered all around what your business’s most important assets are. Often this can be customer personally identifiable information (PII) or maybe your product pricing information. Perhaps you’re only interested in your organization’s cloud-based infrastructure. Alternatively, maybe you’re instead focused on determining the impact of a successful phish against an administrator and want to define the scope as your entire company in a full scope red team engagement.
We can work hand in hand with you to properly scope out your test to ensure the most value to your organization.
Who is going to be your primary contact with us?
While we strive to ensure no impact on your services, by its very nature, penetration testing involves making systems perform in ways they were never designed to. Even worse, sometimes, we may find an easily exploitable way into your network or product that can be easily accessed by anyone online. As a result, whoever you choose to interface with us should be prepared for a potential midnight call when critical risks are identified.
No effort needs to be single-handedly accomplished, however. Feel free to provide as many secondary contacts to answer further technical questions, determine mid-engagement expansions of scope, direct contacts within your Security Operations Center, and more as you feel is necessary.
What are your current security practices?
While we’ll be happy to point out any security faux pas that you might be doing, there are a few easy ones you should be able to answer without an expert’s help. Consider:
- Do you have a regular patching schedule? If any script kiddie with public exploits can take you down, you have bigger problems on your hands than a penetration test!
- Do you have strong passwords on your administrative accounts? Unfortunately, password-based attacks are involved as a part of close to 4/5ths of all security !
- In the event of an absolute worst-case scenario, do you have proper backups of any systems to be tested? Have you recently tested your ability to recover from a stored backup?
- Do your web or systems administrators already know your Achilles’ heel? The people who run your systems day to day will know far more than any external party and often will have some ideas on how to fix those problems. A penetration test can then be an excellent resource for helping to prioritize what needs fixing first!
Easy, free scans you can perform in an afternoon
While a vulnerability scan won’t catch everything, it can catch the lowest hanging fruit that many penetration testers look for. Not all of these may be applicable based on your scope. Give these easy to use tools a quick try:
Network Vulnerability Scanning – Nessus
Nessus is the standard in terms of network vulnerability scans. Best of all, it’s free to use for up to 16 IP addresses. For some larger scopes, this may not be particularly useful, but selecting your key devices with some crown jewels on them can hopefully give you a guesstimate of the state of your network overall. After all, if the most important servers in your organization come back with lots of red results, you can bet the rest of the network won’t fare much better. Alternatively, pair Nessus with Nmap to gain a better perspective on your full network .
https://www.tenable.com/products/nessus/nessus-essentials
Web Vulnerability Scanning – Pentest-Tools
Pentest-Tools provides a free basic web application scanner that can be run against up to two target web applications per day. If desired, you can upgrade to a version that will perform basic tests against detected endpoints on your website. More advanced options can be found in command-line-based tools such as Nikto or even fully paid scanners such as Acunetix, Netsparker, and more.
https://pentest-tools.com/website-vulnerability-scanning/website-scanner
Automated Recon – Spiderfoot
Spiderfoot is a phenomenal, automated tool for either passive or active recon and will often be one of the first steps we or any other tester will perform themselves. This can be an excellent tool for discovering any old, forgotten public assets you may not even know you have. These can often be treasure troves for testers like us, so any time you can remove an entire orphaned website or forgotten server, that can be a big security win!
Help us help you
We love seeing the novel ways customers have devised to protect their systems from run-of-the-mill attacks. Believe us when we say we’ve had to work around quite a few. However, depending on why you’re testing, you may get far more value out of a penetration test by allowing our testers into your network or application from day one.
This may seem backwards; after all, you’re hiring us to show you how to break in! But consider; you may be engaging Open Security for a span of one or two weeks. A non-ethical hacker will have dramatically more time, taking months or even years, if properly motivated, to circumvent your security controls. These attackers will often also employ phishing and other out-of-scope techniques to have an employee unknowingly let them in!
Unless you’re explicitly interested in how your external security controls are configured, it is often best to scope as if the breach has already occurred, and give us time to discover what the internal impact to your business is.
For web applications, this can mean provisioning multiple tiers of accounts. A common example is one account for a regular user and another for an administrative user if such roles are applicable. For network evaluations, we may even ask to send you a secure dropbox that grants our team internal access.
Plan for remediation!
While we love providing reports showing no major findings, most applications and networks have at least a couple of skeletons in the closet. Having a plan on how to properly resolve any major issues found during testing is where the true value of a penetration test comes from!
An Open Security penetration test doesn’t just end at the report delivery. We will work hand in hand with you to ensure successful remediation of identified issues. This will often involve follow-up testing by our expert team to ensure a proper fix has been put into place.
Reach out!
We’d love to be a part of your next security review. Hopefully, the above questions will help you feel confident that you’re prepared for Open Security to take a deep dive into your security posture with you!
Checklist
- Determine why you want a penetration test
- Depending on the answer, should testers be given full cooperation?
- Defense Whitelisting
- Source Code Access
- Documentation
- Determine contacts
- Primary Contact
- Secondary Contact
- Technical Contact
- Review current security practices (Only those which are relevant for your business)
- Patching Cycle
- Password Rotations
- Backup Recovery Test
- Vulnerability Assessment Plan
- Nessus
- Web Scan
- Footprint Scan (Spiderfoot)
- Remediation Plan
- Depending on the answer, should testers be given full cooperation?