Businesses and developers can commission a penetration test (pen test) for various reasons — these range from improving enterprise security to satisfying regulatory requirements. You could opt to use an internal testing team, contract a third party like Emagined Security, or combine both.
Irrespective of the test team’s nature, success will significantly depend on how well-thought-out the overall pen testing program is. Here are some practical tips to help you get the most out of your pentesting program money, effort, and time.
Define Testing Goals
Penetration testing is all about safeguarding the business’ interests. When someone tries to hack into your system, the attack itself is often a means to an end. Usually, they are looking to access confidential data or install malware.
To have an effective testing program, you must dedicate your energies on where the business risk is highest. Your pentesting goal is not just to satisfy a procedural checklist or unearth random vulnerabilities. There has to be a tangible value that is in the best interest of the business.
Let the Data Lead
No organization has limitless resources they can devote to a pen testing program. You cannot realistically run a comprehensive pen test across your entire infrastructure. Whether your business has hundreds, thousands, or millions of devices, it’s impossible to cover every single interface.
When your testing scope is too broad, you run the risk of getting results that offer little to no real business value. A rule of thumb is to take a step back and think about what exactly you are trying to protect. What is your most important business data, where does it reside, and how is it transmitted? This should provide a great starting point for mapping your pen testing program.
Listen to Business Unit Heads
Techies sometimes get so immersed in technical details that they disregard business voices. The testing team should restrict themselves to planning the technical aspect of the program. For the overarching rationale, they should listen to business unit heads.
Business managers recognize the risk, understand what data is most critical, and know which applications they use frequently. They are the ones who grasp an application’s logic, including what it’s meant to do and how it works. With that, you can envisage where a breach is more likely to occur. Discuss the worst-case scenario to see where the valuable data resides.
Develop Hacker Profiles
The more a test program mirrors real-world scenarios, the more effective it will be in foiling future attacks. Your pentester must think and act like real hackers. Hackers aren’t homogenous, though. You have to build profiles commensurate with the different categories of potential attackers.
There are external attackers who know little about the organization’s technology infrastructure except perhaps a couple of IP addresses. Former employers, contractors, and vendors are the second type of attackers because they have considerable knowledge of the network. The third attacker category is IT, staff, such as a database or systems administrator. They’re insiders who have detailed knowledge of your systems and retain privileged levels of authorization.
Other than the knowledge level of the attacker, the motive is another angle to consider. Is the hacker’s aim intellectual property theft or socio-political activism? Work with business managers to better understand the types of attackers they worry about the most.
Establish Rules of Engagement
A pentest simulates an attack but isn’t an attack. You must establish clear penetration testing rules of engagement that set out what is permissible, what is prohibited when testing occurs, and who should be notified. The specifics will depend on whether you are running a black box or white box pen-testing.
Black box testing is somewhat clandestine, so attack timelines and scope are shared with a limited number of people. White box testing is a more open process, so a larger pool of people will have to be appraised of the plans. Either way, if the right people aren’t informed or involved, the testing could negatively impact the business.
Pay attention to these aspects of your pen testing program and you’ll be well on your way to consistent testing success.