So, you've decided it's time to conduct a penetration test against your company. Whether this decision came as a result of regulatory compliance bodies pressuring you to perform an assessment, your CEO not wanting to become the next company in the news cycle hit by ransomware, or simply from a desire to tighten up your security posture, choosing the right vendor can be a daunting task.
“What’s a penetration test? Is that the same as a vulnerability scan?”
First, let's get a couple of definitions out of the way. We'll often have customers ask for a penetration test when they are expecting a vulnerability scan. What's the difference? In short, a vulnerability scan is usually some kind of automated scan launched against a set of assets. Common vulnerability scanners include Nessus, Qualys, Nexpose, OpenVAS, and many others. A penetration test, on the other hand, is a more manual assessment which aims to detect and exploit security weaknesses through a comprehensive set of testing procedures and tools.
For example, a vulnerability scanner might show that an insecure protocol such as Telnet is exposed to the Internet, or that an outdated version of Apache Tomcat is running on a server. These are both valuable findings, and scans should be performed periodically, but usually the best remediations given by vulnerability scanners are to simply "patch your systems".
On the other hand, penetration tests are quite a bit more involved. A common attack scenario we might perform is a real-world approach along the lines of:
OK, so a penetration test is what is needed. (Along with a robust vulnerability management program of course!) But what are the qualities of a good penetration test? At a minimum, you'll want to look for these aspects:
As shown in the example above, it's best to open up the rules of engagement and scope to mirror what an actual attacker would go after. A hacker ("script kiddie", hacktivist, disgruntled employee, state-sponsored actor, to name a few examples) wouldn't limit themselves to just scanning your external websites, so why should you? A real attacker is going to find the quickest, easiest path to your data, no matter the method. A determined attacker might also send a few phishing emails (or make phone calls) attempting to convince employees to login to a malicious website, drive by your office to sit in the parking lot and run attacks against your wifi, talk their way into your building and access computers or server racks, or any combination of these actions! A good penetration test should help you answer the question “How effective is my security against attacks that happen in the wild today?”
We often hear stories from clients where they were dissatisfied from another vendor's penetration test due to lack of communication, including unclear rules of engagement outlined before testing, little to no updates as the testing is being performed, and a general feeling of "what now?" as they're delivered a bloated report with little guidance. Make sure the company you choose demonstrates excellent communication from the beginning to ensure a successful partnership. Is there project management included? What happens if there’s an issue and I need to get hold of someone right away?
A penetration test without excellent reporting is a frustrating experience at best. A great report should include at least the following sections:
Executive Summary - this should make sense to C-levels and contain two to four pages of easily digestible "what should I care about, and why?" information to give management a quick overview of how they fared and what and where they should invest resources.
Technical Details - this section should outline how the attackers performed their actions, the outcome, and why it matters in the attack chain. The best reports will allow the reader to replicate the attacks performed during testing.
List of Findings - This information should include the security finding, the action performed to exploit that issue, how serious or impactful the issue is, and recommendations for mitigation.
Remediation Roadmap - A list of findings and what to fix can be overwhelming to receive; What should I invest my time in to fix first? What should my priorities be? How realistic are my remediation timelines vs. our current technologies, budget, and leadership expectations? Ensure the report attempts to outline at least a rough guideline of when remediations of the findings presented can realistically be expected and what should be prioritized along the way. This guideline should be in clear, practical terms that all levels of a company can understand.
Closeout Meeting - Have the penetration testers on hand to step through the report to ensure understanding, from technical to tactical attendees. Answer questions, explain findings, communicate business and technical impact of vulnerabilities.
Ask to see a sample report! That will give you the best idea of what you'll be in for. Watch out for rebranded vulnerability scan reports, unclear details or missing information, and bloated reports with hundreds of pages that no one will read.
NetWorks Group has been evolving and fine-tuning our Full Scope Penetration Testing service for almost a decade. We believe it provides the best value possible, looking at your business holistically and delivering actionable results. We'd love to create a partnership today - reach out and let's talk!
Published By: Mike Walker, VP of Ethical Hacking, NetWorks Group
Publish Date: November 9, 2022
Security news, tips, webinars, and more straight to your inbox.