Penetration testing is an important element of information security audit and helps to identify problems in the security of an enterprise for various attack vectors.
A successful penetration testing can be fulfilled using the following tips.
1. Minimize constraints
You should not limit all the work carried out: the number of simultaneous scans, allowed IP addresses, exploitation and allowed attacks. Do not prohibit scanning of random IP addresses from subnets, explaining this by the risk of disrupting important business processes. Or, conversely, do not allow scanning only some addresses, so that the results of scanning one of the services can be extrapolated to all others in the subnet.
For a performer, it looks terrible: you cannot do normal automation, you need to constantly monitor that the tools do not go beyond the permitted limits, and you have to twist a bunch of “crutches” to all the tools. While you scan something somewhere and collect a list of services, it turns out that the lion’s share of the time has already been spent. Also, during the development on the network, you see: here it is – a service that supposedly has a privileged account … But it was excluded from scanning.
2. Direct communication
Do not communicate through 3+ managers, thereby playing with a broken phone and increasing the time frame. Try to communicate the requirements directly to real performers, communicate personally, especially without experience in the applied part. Otherwise, in the end, you will get such a locomotive that the information will reach either changed, or it will go for a very long time.
In large projects, this is more the rule than the exception. The work is ordered by an information security specialist, supervised by a security officer, and the manager communicates with the pentester, and sometimes not even directly, but through his manager. As a result, even removing all other factors, any request reaches the goal after half a day and returns the answer to some other question.
3. Proactive defenses
Let’s move on to technical jokes. PCI DSS and other methodologies recommend disabling some proactive information security tools for more elaboration of testing. Follow this advice, do not make people suffer in search of a solution, how to test a corporate network in a short time, where they are blocked all the time. You do not need to immediately extinguish the port on the switch into which the pen tester is plugged.
IT penetration testing with proactive information security tools (IPS, WAF) enabled is already becoming commonplace. It is bad that in this case the lion’s share of the time is spent on checking the information security system, and not on testing the infrastructure itself.
4. Allow exploitation of vulnerabilities
If, for some reason, pentesters still managed to find a vulnerability, and they ask you for approval for its operation, do not refuse, justifying this by a violation of accessibility and the fact that a laptop for presentations is a critical business service!
Yes, this also happens all the time. It can be seen that the server contains critical data and there is a vulnerability, and the customer does not agree on the operation. As a result, the performer loses the entry point, which could lead to a whole bunch of problems, up to the compromise of the entire company. And if they didn’t agree, the report simply says: “operation is not coordinated”, and in fact there is nothing interesting in the report.
5. Authenticity of the final report
If, nevertheless, the hack was carried out and the pentesters showed you the first version of the report, do not ask to remove the critical moments from it. You do not need to adjust it so that you will be given the report for which you paid.
There are funny moments that make you want to laugh and cry. Either “remove the CEO’s mail from the report”, then “this server needs to be removed”, then “who asked you to go to the computers of the information security service – quickly remove it.” Sometimes the wording is ruling, thanks to which the same fact from the terrible becomes quite acceptable.
Find more on https://www.dataart.com/services-and-technology/security.
Penetration testing, which simulates the actions of a cracker and simulates an attacker based on goals, and not from means, and performed by an experienced, highly qualified specialist, is almost always effective.