5 questions every business should ask about penetration testing
Penetration testing is an important aspect of reinforcing and sustaining network, infrastructure, and physical security. Penetration testing includes attempting to break into a variety of application systems (e.g., APIs, frontend/backend servers) to find vulnerabilities, such as inputs that are vulnerable to code injection attacks. In a world where technology is always advancing, attackers are becoming more inventive. Many businesses are at risk because they don't know what questions to ask or what to look for when it comes to protecting their digital assets. We will cover some of the most crucial things to ask when hiring your next security assessment partner in this blog. Of course, this isn't an exhaustive list, but we believe it's an excellent place to start.
When should I perform a penetration test?
A penetration test should be performed in a variety of situations. Here are a few examples of frequent penetration test applications:
- DevSec: As part of an application's development cycle. (To ensure that a new feature or application is secure)
- Compliance: To ensure that security standards are met. (Industry standard certifications, PCI, ISO27001, SOC2 and more)
- Data protection: To prevent sensitive data from unauthorized access.
- Malware protection: To prevent malware from infecting a computer or server. (examples: Ransomware, spyware, and more)
- Network protection: To keep disruptive cyberattacks at bay. (example: denial of service)
- Assurance: Continues risk reduction as part of a risk management strategy for a cybersecurity program.
A penetration test should be performed at least once a year, as well as after any significant updates or changes to the enterprise network. We normally recommend that quarterly tests should be undertaken due to the high rate at which new vulnerabilities are found.
What should we expect from penetration testing consultants in terms of communication?
Let's face it: a penetration test entails risky activities that may mistakenly bring down one or more systems that your company relies on to run its operations. This is why, before any penetration testing activity, it's critical to exchange contact information for personnel who are available 24 hours a day, seven days a week, in case things go wrong.
It's a good idea to agree on a communication frequency. You can plan this accordingly with your trusted partner. We strongly advise sending updates twice a week, but daily, instant communication would be ideal.. Both methods: an encrypted email or personal presence on site are acceptable methods of communicating risky findings. At Secruit, we set up an instant communication channel between you and our expert penetration testers to have a seamless communication.
Finally, there's the report itself. This is where a lot of companies fall short. We've seen security professionals give an Excel spreadsheet in some circumstances - yikes! At the end of the day, you want to be able to present it to C-level executives, and highlight the importance of the assessment findings so they are empowered to make sound business decisions. When your partner delivers a report that your executives can't understand, you've entirely squandered the benefit of the security engagement. Request a template report and assess how well it communicates the findings at both technical and executive levels.
What will the penetration testing approach look like?
Good firms will brag about their intelligence-driven techniques when it comes to discovery and reconnaissance. This is the stage in which they learn everything there is to know about your company, including its systems, staff, and internet offerings. Whether you want it or not, companies unwittingly share a lot of valuable information to the public domain, which increases an attacker's chances of effectively breaching your perimeter without deploying a sophisticated exploit.
Scanning/probing is where your partner’s capabilities are put to the ultimate test. Vulnerabilities are identified using both a manual and an automated technique. Automated testing should run alongside and complement manual testing if they're doing their job correctly. This is when the tester must use their technical knowledge and creative thinking to find potential flaws in your tech stack.
Once an issue has been detected, it's time to try to exploit it. Many security professionals fail at this stage because they are overly reliant on tools and don't know how to get over simple roadblocks like bypassing detection mechanisms (examples: antivirus, EDR) , pivoting, or moving laterally within the network. Exploiting vulnerabilities means jeopardizing a systems’ confidentiality, integrity, and, in some situations, availability. In your interactions with your security partner, make sure to bring up those risks and the potential impact to your business.
Finally, once a vulnerability has been exploited, the access or information gained in the previous phase is utilized to acquire further access to a system or resource, and the cycle begins again.
How will you protect my data during and after testing?
The penetration testers decide what data to access and how they will access it. Operational integrity is the key here, we draw a line between identifying actionable findings and compromising valuable business/client data.data shouldn’t be downloaded to a testing device. Taking a screenshot of a list of filenames, or one or two records, can often suffice as proof for a successful test. Before saving a screenshot to a local disc, you can easily redact it (we use data masking). The first line of defense in protecting the data is the tester's operational judgment. That's where we believe training is vital for our security experts, to enable them to make the right calls during an assessment.
When a tester decides to retrieve and keep data, they use their best judgment to determine how to do it in a way that does not put the client in danger. This means that proper encryption will be used to prevent data from being read both in transit and at rest. A tester, for example, may need to download database backups to a local laptop to study them. In this situation, we'd deploy a multi-factor authentication-protected Virtual Private Network (VPN) and an encrypted secure shell (SSH) connection to download the data across the VPN tunnel.
Assuring that data is destroyed when it is no longer needed is an equally vital aspect of the overall security plan. Depending on the type of data, the length of time will vary. We usually keep the final report for a long time, however, test artifacts like scan results and other client data are usually removed soon after the report is completed. To enforce our retention policy, data kept on the tester's machine is migrated to an encrypted archive with an automatic cleanup process. We can also reduce the amount of time a collected evidence is kept, based on the client's expectations.
What is my involvement with the security community?
It's important to encourage engineers to be involved in the security community. It's where a lot of best practices and important experience would be exchanged. Being proactive will help your business stay ahead of the threat actors and keep your business from reputational and operational risks by avoiding the next cyber breach.. Security & Hacker conferences are essential for accelerated learning, ensuring currency of the threat landscape and the ability to do networking with peers.. Employers should join local information security chapters and open-source security tool development organizations such as GitHub and OWASP.