Blog Post 4 of 6
Much has been written about hacking, including overly dramatized depictions of hackers busily typing away and creating previously non-existent access into foreign satellites proclaiming… “I’m in!”.
Applause, amazement, and adulation follow.
Educated security professionals know that this is just a dramatization, however, it still causes us to wonder what really happens during a penetration testing engagement. Questions like:
When you say you’re doing a pentest, what does penetration testing involve? I mean, what are you actually doing?
And, how do I know that you know what you’re doing?
Are you running special penetration testing tools that I should know about?
Are you going to break something?
What Does Penetration Testing Involve? Testing is just one part of the Penetration Pathway. Let’s zoom out for a minute and talk about your goals. Your goals should have been established as part of the penetration test scoping process and then re-established as part of your rules of engagement. Additionally, your goals drive what is involved in your pentest.
Next, regardless of what you’re testing, a standard testing methodology should be followed. Whatever you choose, it should have some version of the Penetration Testing Execution Standard (PTES) which contains the following:
Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting
I’m not going to spend time going through these phases because there’s tons of information all over the net that covers the cyber kill chain. Google it :) But, you can download our methodology here.
What I want to highlight is, whatever the testers are doing needs to align with what you established in your SOW and your goals. That means, if you were expecting manual validation of findings, you need to set up controls with the test team that allows you to confirm the findings aren’t just regurgitated from a Nessus scan. If you were only interested in getting an annual scan and the testers are asking for authenticated access into one of your web applications… you may want to question their approach. This takes us to our next question...
If you want to clearly define your goals and the scope of your penetration test, download our scoping template.
How Do I Know You Know What You’re Doing? This is a recurring challenge businesses’ have when they do business with any new vendor. It’s especially disconcerting with penetration tests because the company is given so much access and visibility into your environment (or app or whatever). It’s like getting married before you’ve even dated… not such a good idea. Referrals are your best bet to confirm competency, however, you can find out a lot just by looking for the right signs. The fact is, you want more than just an adequate test. Lots of people can do those. What you really want is value-add from the relationship. It’s important that your vendor goes beyond standard testing to include the things listed below so that you can have peace of mind about your testing without the stress associated with unqualified and commoditized vendors:
Manual Validation
Tool Variation
Extensive Information Gathering
Report Enhancements
Risk Grouping
Vulnerability Table
Interim Risk Review
Proactive Communications
Multiple Certifications
Are you running special penetration testing tools that I should know about? It’s best that your vendor blend disparate primary tools to perform penetration testing, leveraging a combination of commercial off-the-shelf, open-source, and proprietary products. Testing should be conducted with careful validation and vulnerability checks and balances ensuring results provided are never solely based on a single product’s output. Many penetration testing companies simply run Nmap or Nessus and then call it good, we ensure our clients receive optimal results by correlating output amongst utilities and performing robust tool verification.
Are you going to break something? If things are scoped and architected correctly…. No, your test won’t break anything. If this is a really scary prospect for you then you’ll want to consider testing an environment that isn’t your production environment. Additionally, tools can be configured to “go light” for additional assurance.
Do I need a Pentest and How Often? There are as many types of pentest as there are things with access. Everybody should be doing pentests of some sort to test for exposure. However, timing is important. You don’t need a pentest early in deployment. Conversely, you definitely want to pentest before something is put into production. And, you’ll likely want to have a third-party pentest annually depending on your budget, compliance requirements, and the rate at which your environment/applications change. If you’re not sure then give us a call and we can help you determine the proper timing and scope of your engagement.
Penetration Testing is just one piece of our One Clear Path.
If you want to get crystal clear on the ONE THING you should be doing right now to exceed your Pentest audit, compliance, and security mandates within 30 days (without convoluted methodologies, confusing findings reports, or obscure remediation steps) click the link below…
YES, TELL ME MORE...
Want a deeper dive into our pentesting services? Check these pages out:
Want to see where Pentesting fit's into the bigger security picture? Visit our One Clear Path page to see more.