Penetration testing is often a critical component of a cyber security program. It can help you to identify where your systems need improvement and often expose major vulnerabilities that would otherwise have been exploited by attackers. But it’s not always clear how you can prepare and get the most out of testing. In this blog we’ll explore the preparations we can put in place to ensure that testing runs as smoothly as possible.
Secure Target Systems
Penetration testing is most effective when the target systems reflect their typical year-round security posture, dressing up your security just for testing can give a warped view of the in-scope systems’ security status. With this said there are certain actions that can be taken to improve your security hygiene so that the tester can spend more time focussing on the more pressing threats:
- Patching – Ensuring your system operating systems and installed software is supported and has the latest security patches.
- Password/Lockout Policy Enforcement – Ensuring services have a strong password policy enforced and that lockout policies (or other brute-force protections) are put in place for services where possible (particularly important for any internet-facing services).
- Multi-Factor Authentication – If I could recommend one security control that has saved many an organisation from compromise during testing, multi-factor authentication would top the list. Ensure it is enforced for any service that provides the option.
- Decommissioning Forgotten Accounts and Systems – Ensure that systems and accounts that are no longer used or needed are decommissioned to reduce the organisation’s attack surface.
- Input Validation – For Web Applications in particular, input validation flaws such as command injection, cross-site scripting and SQL injections are some of the most common vulnerabilities found and can have a detrimental impact if exploited. Checking that input validation controls are working correctly both on the client and server side can reduce the number of major findings significantly.
Back Up Target Systems
During penetration testing, there is always a chance, albeit small, that a tester may accidentally take down a system or take an action that results in the loss of data. Good penetration testers will be mindful of any tools or techniques that could have an adverse effect on the in-scope systems, however, backing up production systems is a must before testing begins.
Organisations will more commonly opt for using test environments where possible, particularly with application testing and this can provide the tester with a sandboxed area where actions can be performed without fear of them damaging critical systems.
Consider Testing Requirements
Depending on the scope and the types of testing to be performed, the penetration testing provider may require some additional information or access to fully test the agreed scope. You should plan in some time to make the necessary preparations for the engagement to run smoothly.
Some of the common requirements may include generating application credentials for the tester to authenticate, ensuring the tester is able to successfully establish a connection to the internal network, confirming lockout policies for internet-facing services and whitelisting tester IP addresses on any technologies that may disrupt testing.
Inform Relevant Parties
Depending on your objectives you may (or may not) inform certain teams in your organisation that testing will be going ahead. It’s a perfect opportunity to assess the effectiveness of your security monitoring and their response to a supposed attack. Senior management should always be involved or at least be aware that testing is taking place.
Third-party application and service providers may require you to make them aware of any testing that is conducted on their platform so it’s worth checking to see if there are any requirements or restrictions around what can be tested.
Predatech is a cyber security consultancy that offers a range of services including CREST accredited penetration testing and Cyber Essentials/Cyber Essentials Plus assessments. What makes us different? We combine expert cyber security with great customer service and value for money. Please contact us if you’re interested in a free consultation.