We often get questions on how to prepare for organization’s (annual) penetration test. Here is what you can do to prepare.
Most IT departments do not look forward to having some outside experts come along and look for all the places their security isn’t up to snuff. If jubilation isn’t the feeling you experience when a pen test is pending, you might want to check out the 7 tips that we compiled to help you get the most out of the experience–and the most for your money.
Why is Penetration Testing important?
First, a brief refresher of the benefits of a penetration test in the first place. The advantages of pen testing include:
- Discover vulnerabilities before the motivated hacker does so
- Identify vulnerabilities, attack path, and provide the necessary context to help you prioritize remediation efforts
- Know how well the organization is able to respond to an attacker
7 valuable tips
1) Understand the Pen Test Parameters
Get actively involved from the outset to collaborate with your penetration testing team in determining what your goals are and how to prioritize your resources in improving your cybersecurity stance. Before testing begins you should know:
- High-value assets and associated targets
- Controls and capabilities you want to test
2) Anticipate likely threats
You know your industry and, presumably, have been keeping up on cybersecurity threats particular to your type of business. Enumerating likely threats for the penetration testers can help to determine what they should try to do and how deeply. For example, your industry may be more susceptible to script kiddies, hacktivists, organized crime, or insider threats.
3) Establish Realistic Expectations
With your understanding of objectives and threats, establish how much of your network can be tested and how deeply considering your budget and time. Keep in mind that motivated bad actors aren’t going to focus only on certain parts of your system, so you don’t really want your testers to be limited.
At the same time, you may not want to give them free rein. You want creativity, yes, but the security manager needs to be sure that testers understand clear boundaries (such as never to perform a denial of service attack on any production system).
4) Provide Network Knowledge
The more information you can provide, clearly communicated, the less time penetration testers need to spend determining the true scope of your network and systems.
Another critical component of an effective pen test is having a clear point of contact who can be in constant communication with the testing team and ensure that security logs and alerts are addressed in a timely fashion.
5) Learn What They’re Doing
Your efforts to understand the testers’ tools, techniques, and processes can help you to better define parameters and expectations. You need an understanding of what goes into the testing to be able to ask questions about methodology and policy or identify testing approaches that may be overlooked.
6) Plan to Discover Flaws
Expecting a penetration test to prove your network, application or IoT devices are invulnerable is unrealistic. In fact, we often say there’s no such thing as being 100% secure.
Yet you likely can’t afford to find every vulnerability that could ever be found. Instead, plan on using the pen test to identify problem areas to help you define policy or procedures, get leadership buy-in, or justify budget expenditures.
7) Stick with a Trusted Partner
Once you’ve found a penetration testing team that does the job you want to be done and done well, work with them consistently. Developing an ongoing relationship with a testing group can benefit your budget long-term as they will come back to each engagement with a deeper understanding of your culture, infrastructure, and support systems.
Whatever your reason for a penetration test — to meet compliance standards? test your security team’s capabilities? determine control efficacy? — you’ll want to partner with experts who will thoroughly prepare the engagement and keep you fully apprised of findings.
Our experts provide you with a detailed report and discuss remediation and business priorities with you. We also offer ongoing access to our assistance and will test again to help you remediate our findings — for free. Read more about our Penetration tests or Contact us today to begin your consultation.