How to Get the Best Value from Your Penetration Test
The Seven Steps to Cybersecurity Nirvana
You’ve done your homework; you’ve spent some time researching penetration testing companies and you think you’ve identified a good one.
Maybe you used our previous blog to help: Think Your Organisation Needs a Penetration Test? Read This First. We hope you chose us, but if not, we hope you’ll read on anyway.
Now you have a date for your pen test in your diary, you’ve done the hard part, right? Alas no, there’s a lot – a lot – that can go awry.
Here are two real-life examples:
Example 1: Up against it with a Multinational Delivering Government Services
This was a big-budget project with four penetration testers on an extensive firewall review. The job involved 16-people days: 12 on-site days and four days reporting. On the first day, as arranged, the team was on site bright and early, but immediately hit a wall (no pun intended). Despite an advance agreement, the company’s IT contact hadn’t reconfigured the firewall.
The rather red-faced IT person completed the configuration work by 1 pm. And the consequences? Four specialists doing very little for half a day, amounting to a waste of several hundred pounds. Although they rushed to catch up, it was impossible to achieve the required depth of coverage.
Example 2: Giving Notice: A Financial Products Company Selling to the Public
The cybersecurity target – a web application – was hosted in a data centre. To allow testing on their infrastructure, the data centre required prior notice. Come the big day, and the client had overlooked that notification. The testers were at the data centre’s mercy to fast-track the approval, which in the end took 48 hours.
The moral at play?
Get organised, especially if there’s a cost involved! As with the first story, the company paid for the consultants’ time while their hands were tied. The application was critical, and extra budget had to be found to enable completion of the test to the necessary standard.
Now we’ve established the potential for a penetration test to give rise to avoidable headaches, here are seven steps you can follow for pen test success.
Step One: Preparation, Preparation and more Preparation
Ensure you have all the necessary permissions to conduct the test; inform all relevant stakeholders in advance, especially third-parties. Practically speaking, see that the penetration testers have access to buildings, server rooms and so on, and arrange all necessary connectivity in advance.
Credentials are another essential box to tick; set up usernames and passwords in good time. Lastly, purchase orders – particularly in larger organisations, can take time. If your test is time-sensitive, be sure to get the ball rolling early.
Step Two: Appoint a Good ‘Babysitter’
It sounds simple but having someone there to make sure everything goes to plan on the day is important. Having that person to escort the pen testers, and manage problems that might arise, provides peace of mind. Choose someone well-connected, with the clout to make things happen.
And think about your babysitter’s needs too; if they’re going to be stuck in a chilly data hall for hours and barred from using their phone, be thoughtful and tell them to take a jumper and a good book.
Step Three: Invest Time in Proper Scoping
If you under-scope your requirements, you won’t get the coverage you want. If you over-scope, you’ll pay for expensive testing you don’t need. Your provider should walk you through the process.
Bonus tip; if retesting is required book it immediately, so you get your preferred dates. Conventional wisdom is to use different providers to ensure different viewpoints, but it’s cheaper to bring in the same consultants than start from scratch with another pen test firm. We’d suggest running your own vulnerability scans before our arrival – we can advise you.
Step Four: Make Your Pen Tester Work for it
You don’t want your pen tester burning time on the basics; patch your software, update your anti-virus software, and get them sweating over the hard stuff.
Step Five: A Happy Pen Tester is an Effective Pen Tester
One of our pen testers had a particularly uncomfortable day when a client left him locked in a room for eight hours without checking on him. Just like the rest of us, penetration testers need comfort breaks. Tell them where the canteen and loo are and look after them so that they can focus on your needs, not their bladder or rumbling stomach.
Step Six: Don’t Get Burned by Your Firewall
This applies to external penetration tests; those tested remotely over the internet. There’s a handful of technical bits you’ll need to take care of here – give yourself enough time and go through them with your provider in advance.
Step Seven: The Night Shift
Testing sometimes takes place outside regular business hours to minimise disruption. What if the security personnel don’t allow the testers’ access? Or if essential pre-requisites are missing and the principal contacts in your company are asleep? These aren’t fictitious examples; they’ve happened.
Night shift demands preparation to A* standard. Nominate an out-of-hours escalation person, arrange a phone call at the beginning of each evening’s work, and an email update before your testers’ clock off in the morning.
We hope this blog helps you to get the maximum value from your pen test, and that your experience brings benefits – not needless stress.
If you’re still navigating your cybersecurity landscape and would appreciate some help before investing in a penetration test, then why not take advantage of our free cybersecurity assessment? To book, click the link above.
We’ll give you tailored advice to improve your cybersecurity and we won’t bombard you with calls and try to sell you stuff you don’t need. What do you have to lose? Thanks for reading and be safe.