In today’s fast-changing threat landscape, businesses are struggling to deliver values to their customers and to protect consistently their assets. Security experts are constantly running after the attackers, and defending their systems can no longer be done by just installing a firewall on the Internet access. Over time, the complexity of the environment increased because of the adoption of cloud services and the emergence of new technologies. Likewise, the attacks became more sophisticated, and the attackers are more creative than ever.
Nevertheless, the companies that follow best practices and run consistent security health checks are doing far better than those which address the security challenges on an ad-hoc basis. In nutshell, if “you do the basics right” you have a higher likelihood to prevail in the case of security attacks. For that reason, conducting regular penetration tests is appropriate and recommended by every security professional.
In this article, we will deep dive into the scheduling of the penetration test, and their success factors.
II. Some fundamentals about the penetration tests
There are many ways to test the security of an application, and, in general, they are articulated around three core elements, being people, process, and technology. Any form of security testing will be a combination of these components. More specifically, a penetration test will primarily assess the technical aspects of an application or a system, but it can equally challenge the robustness of the authentication method, which is determined by a set of processes.
In a nutshell, a penetration test aims to identify vulnerabilities in an application, a system, or a network, and confirms that they can be exploited. Companies give a lot of importance to the penetration testing activities because vulnerabilities are identified and exploited by the penetration tester, which highlights the material risks faced by the companies.
There are multiple reasons for companies to conduct penetration tests. In highly regulated industries, like the financial sector or the pharmaceutical sector, regulators require the firms to conduct regular penetration tests of their most critical assets. In other industries, conducting regular security tests of Internet-facing applications has become the norm and is a widely approved good practice.
III. How to plan a penetration test
One could draw an analogy between conducting a penetration test and managing a project. On a high- level, the objectives need to be set, the stakeholders have to be made aware of the project, and a plan needs to be outlined to pave the way to the completion. As we can often read, “if you fail to plan, you are planning to fail!” (B. Franklin), which applies perfectly in the case of a penetration test because there are dependencies that could either lead it to a failure or great success. The approach proposed here to plan for a penetration test is articulated are six main steps.
Step 1: Define the goal
It is obvious to assume that companies are not conducting penetration tests for the sake of doing security but to derive some value from them. The added values of a penetration test can be manifold; increase customers’ trust, reducing the risks of data breaches, or, more simply, confirming the proper handling of the customers’ data.
By relating the execution of a penetration test to the fundamental phases of project management, the first step would be to formulate the objective of the exercise. “What do we want to achieve with this test?” or “What problem are we trying to address?”. Although it seems a very broad approach, answering such basic questions will ensure that the company focuses on the right target. In other terms, the outcome of this step is like setting the destination of a trip. You want to know where you are going before deciding how to get there.
Step 2: Collect information and set the requirements
In a second step, the aim is to gather the relevant information to decide on the scope, time, type, and budget associated with the penetration test. It is highly recommended to engage with the entity that will operate the penetration test, being an internal penetration tester team or an external security provider. The benefit from starting early discussions with the penetration testers is to determine the feasibility of a test and understand the pre-requisites to conduct it. Similar communications have to be held with the owners of the applications or systems that you would like to test, as well as the network team to enable the penetration tester to operate. Aligning the timing of the test with the release of a new feature in an application, or before the go-live of a solution, is key for the company to get the full value of a penetration test. The outcome of this step is a consensus on the scope, timing, budget, and type of penetration test to be conducted.
Step 3: Communicate the scope and timing
In this third step, you want to make sure that all the stakeholders involved, directly or indirectly, in the penetration test are sufficiently informed about the ins and outs of the test. More specifically, you might want to inform your network team that seemingly rogue requests from the security provider IP address should be considered legitimate during the time of the test.
Step 4: Alignment on the technical detail
The fourth step is about the coordination between the penetration tester and the system or application owner. Depending on the type of penetration test chosen, the application owner would need to provision a pair of test accounts for the penetration tester or would need to ensure that the penetration tester has the required access to the system to be tested. This step of the plan can be compared to a dry-run where the aim is to confirm the assumptions and ensure that the penetration test can be operated smoothly at the agreed time.
Step 5: Operation of the penetration test
During the execution of the penetration test, the attack surfaces of an application or a system are scanned, and the penetration tester will try to exploit the identified vulnerabilities. Although there are no specific actions required from a planning perspective, it is nevertheless important to document any potential hiccups and last-minute challenges encountered to refine the process for a future iteration.
Step 6: Discussing the findings
Finally, in the last step of the penetration test, the penetration test report is delivered and the findings are discussed. At this stage, it is not uncommon that an application owner challenges the relevancy and the severity of the identified vulnerabilities and that the penetration tester formulates remediation recommendations. The closure of a penetration test is achieved by the interpretation of findings into risks, which are then to be recorded into the risk management tool used by the company.
To conclude, in this article we touched upon the importance of conducting penetration tests on a regular basis and we focused on the planning aspects of such security tests. While every company has a different setup, each of the six steps described above will be relevant for the smooth operation of the penetration test.Find out how 1 Cyber Valley can play a role in your company’s cyber security strategy.