Open in app

Sign in

Write

Sign in

Best time to get (and NOT get) a penetration test

As I’m wrapping on an AWS cloud and application penetration test…

Teri Radichel
Cloud Security

--

One of my stories on

Free Content on Jobs in Cybersecurity | Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Penetration Testing

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’ve mentioned this before but if you’re one of those companies that gets a penetration test in Q4 every year, you might want to consider moving your penetration test up a quarter. If you’re just embarking on your journey to become SOC compliant or have some other reason to get a penetration test and are thinking about doing that by the end of the year here’s why you might want to jump on it now.

Although I’m busy (finishing a pentest now and not available until August), this is one of the slower times of year, as is the very beginning of the year, in my experience as a penetration tester. On the other hand, I get so many requests at the end of the year I end up getting too much work and have to refer some away and am working 24 x 7 to try to get everyone’s reports done in time.

Just a reminder that 2nd Sight Lab specializes in cloud and application security, not on-premises penetration testing or social engineering. We focus on coverage, not stealth. We want to find as many potential attacks and security gaps as possible, not test your SOC's ability to spot a breach. If you are looking for something different, I can provide referrals for those other types of tests if you need one, to organizations run by people I know personally.

I don’t know everyone’s experience who has a penetration test company but I have heard other organizations express similar sentiment — everyone in cybersecurity is really busy in Q4. Rather than wait until everyone is overloaded, get a jump on that penetration test and get on your test company’s schedule now! Also, if this is your first penetration test, it might take a bit longer to get set up or to understand the process. Alternatively, wait until January to get more attention on your test. The very beginning of the year is generally a slow time as well, in my experience.

If you’re doing a cloud penetration test with 2nd Sight Lab, we ask for certain roles to be set up with MFA in your account when testing on AWS to assess your security. We will also explain what credentials to provide and how to send them over securely in an encrypted message. Penetration test setup and the transfer or an upfront payment tends to delay start times in my experience past the expected start date.

If your penetration test company isn’t asking for MFA on AWS with a cross-account role, then you might want to consider that role and the potential attack vector. On other clouds, things are not always so simple so we don’t always ask for MFA but we’re working on it and have requests out to cloud vendors in some cases.

When I started penetration testing AWS warned me that many penetration testers get compromised so we try to take precautions for security and to limit the blast radius should anything be compromised by setting up a completely new account and new hosts when we start a penetration test.

We can also used fixed IP addresses if a customer needs us to, though it’s a bit more real world to simulate testing from varied IP addresses — and we can go faster and get more coverage. In some cases, AWS blocks known penetration testing IP addresses as I’ve mentioned on Twitter, and certain domain names. I figured this out while testing certain attacks and they worked from certain addresses, but not others.

As we move into the latter months of the year, I also get requests to subcontract on penetration tests for other companies. Everyone is overloaded. If you’re doing your penetration test at the end of the year when everyone is overloaded, you might not be getting the best people or the best coverage. I’ve heard clients complain on consulting calls about penetration testers from other big name companies — but just because you hired a big name doesn’t mean you’re getting the top people that are behind that big name. You’ll want to clarify that when you sign up for your test.

In our case at 2nd Sight Lab, I take on as many tests as I can be involved with at the moment, use a lot of automation, and occasionally a contractor who is vetted appropriately (that I know who lives locally, so please don’t contact me and ask for a job) to do some of the simple tasks associated with the test: basic scanning, proof reading reports, etc. In the past, it was often one of my nieces or nephews. We may grow over time but for now I’m dealing with some office space issues and in no hurry to expand. That may change once a few projects get completed around here.

Q4 is fast approaching — that time when everyone is busy with holidays and some people are at AWS re:Invent (not sure if I’m going this year; last year I was too busy) so you might want to think about starting your penetration test sooner than later! If you’re interested in a cloud penetration test and/or application security penetration test from 2nd Sight Lab, you can reach out to me on LinkedIn below. We especially like AWS and GCP penetration tests — though I did just teach a complete Azure security class and can do those as well. We can also perform cloud security assessments if you’re not ready for cloud and application a penetration test.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab

--

--

Teri Radichel
Cloud Security

Written by Teri Radichel

2.5K Followers
Editor for

CEO 2nd Sight Lab | Penetration Testing & Assessments | AWS Hero | Masters of Infosec & Software Engineering | GSE 240 etc | IANS | SANS Difference Makers Award