Our highly experienced Penetration Testers Dave Jarvis and Robert “Bull” Winkel offer five tips for mature organisations.
Undergoing Penetration Testing of your IT security defences is rather like going on a first date: those involved are a bit nervous that the results might be embarrassing and everyone will find out about it.
Nevertheless, “PenTests” are an essential element of any Information Security Risk Assessment – providing proof of potential vulnerabilities and delivering actionable information to support executive decision-making and priorities for investment. It’s important to be honest and reveal yourself, which is counter-intuitive to the natural reaction of self-preservation and protection.
Before you embark on the ride, here are our five top tips for getting true value from a PenTest engagement.
Tip 1: Be careful in defining scope
How much are you willing to divulge on your first date? Unless you carefully consider and define your objectives from a PenTest, it’s likely to drift into areas you might later regret.
Don’t be shy! Two key questions to ask yourself (and answer truthfully) are: “What are our security objectives?” and “What outcomes are we looking for?”
Tip 2: Create rules and manage expectations
No PenTester worth their salt will guarantee satisfaction – and here at UXC Saltbush we’d never be so irresponsible!
White Hats tend to lead with their hearts and fall quickly, while Black Hats take their time to get to know one another.
Your PenTest engagement will necessarily involve limited time, tools and resources – while determined hackers can mount a sustained offensive using multiple tools and exploits over a long period of time. Remember that a PenTest is a point-in-time activity, so treat it accordingly.
While PenTesting is not a public spectacle for uploading to YouTube (nor are first dates), make sure you manage relevant third parties such as hosting providers, so they’re in on the act too.
Tip 3: Put PenTesting into its proper context
Given the time restrictions listed above, different PenTesters can potentially deliver varied results – depending on the different tools and tactics they deploy.
Despite this necessary limitation, PenTesting is crucial within any Risk Framework – with the prerequisite of a robust InfoSec framework.
But don’t analyse it in isolation, it’s a one off event just like a date, it’s not a silver bullet or ticket to the altar.
Tip 4: Go for quality
Generic self-testing and self-assessment has its place, if your risk profile is low enough and you’re out for a bit of fun on the side - but doing it on your own is no substitute for the real thing.
To get quality bang for your buck, take the precaution of selecting a reputable company with respected accreditations. The internationally recognised CREST stamp of approval is hard to achieve.
It also assures that not only individual PenTest operatives have the necessary skills, but their employing company has appropriate Quality Assurance procedures to avoid any slip-ups.
Tip 5: Get executive buy-in upfront
Get ‘parental approval’ early on… executives must fully understand the reasons for the exercise and its potential consequences. No-one wants to get caught with their pants down, after all.
Too many organisations budget for a PenTest and not its outcomes… but ‘Test and Forget’ is not a mature approach. Paying lip-service by just having regular PenTests is not an ‘inoculation’ against real attacks. While it may not be possible to fill all potential gaps, accept that some remediation may be required to satisfy your Risk Profile.
Get commitment upfront from management that a treatment plan will be actioned, for example, budget will be made available to address all High risks identified immediately and Medium risks within six months.
We do hope we’ve provided some stimulating ideas for planning your next PenTest engagement. If you think we’ve been a little risqué, please remember that we only have your Risk Management at heart!
About the Authors
Dave Jarvis is one of the few ICT security specialists in Australia accredited to undertake ISO/IEC 27001 certification audits, and the first to accredit an Australian organisation to that standard. He was also established the Standards Australia certification arm for Information Security Management Systems (ISMS).
Robert “Bull” Winkel worked in Defence for 13 years and technical security assurance is his particular interest, underpinned by his extensive experience in Digital Forensics, Reverse Engineering, Penetration Testing and Social Engineering.