Preparing for a Penetration Test
If you’re interested in starting a Penetration Test for your organization but you’re not sure where to start, then you’ve come to the right place.
At Sentry, our flagship service is Penetration Testing (it’s what we do best ;). We have gained a lot of experience through the years that we’d love to share with you relevant information that will help prepare yourself before you bring in some cybersecurity ninjas to try and hack everything.
In this article, I will list some DO’s and DONT’s when it comes to preparing your organization for the onslaught of ethical hacking that’s about to ensue.
Before we get further, I’d like to let you know some crucial information that will help you make better decisions in the future. There is a HUGE misconception between Bug Bounty Programs, Vulnerability Assessments, Penetration Tests, and Adversarial Simulations / Red Team Exercises. I’ll be short and swift by highlighting only the core differences between the activities:
1) Bug Bounty Programs
These are crowdsourcing initiatives which aim to reward individuals who manage to identify and exploit security vulnerabilities in networks, applications, and infrastructure. These usually allow/give permission to freelance hackers to try and launch attacks in order to find vulnerabilities. Some of the most famous BBP platforms are HackerOne and Bugcrowd.
2) Vulnerability Assessment
Is a periodical activity (usually internal to the IT/IS dep.) with the aim of finding known security vulnerabilities in networks, applications, infrastructures by utilizing specialized software and tools. This type of assessment is broad but shallow, good for getting an overview but not validating or checking thoroughly. Some of the most famous software for VAs are Nessus, Acunetix, and Nexpose.
3) Penetration Testing
A penetration test is an authorized simulated cyber attack on information technology infrastructure performed to evaluate the security of the systems by a team of highly skilled security experts. The tests are specific but in-depth with the goal of finding as many known and unknown vulnerabilities as possible. The evaluation ends with a final report where the client is given necessary recommendations and professional consultation on remediating and strengthening security posture.
4) Adversarial Simulations / Red Team Exercises
This is the apex of offensive security. An Adversarial Simulation is an authorized simulated attack on the entire organization performed to test out the resiliency against real-world threats. The difference here is that you’re no longer looking for vulnerabilities, rather you’re looking at a YES or NO answer to the question of “Could I withstand a 6 month long persistent cyber attack” or “Can I protect my client data against advanced cybercriminals”. This is an exercise designed to test out technologies, defensive systems, security awareness, policy implementation, digital hygiene, human resources, and physical security.
The list above should give you what a Penetration Test is exactly in relation to all other offensive security engagements.
That being said, organizing a Pen-test for your organization/product/app is fantastic and you should definitely have one performed periodically, however, you need to make sure the groundwork is there. Here’s why:
Make sure you’ve done your homework first.
It does not make sense to do a Penetration Test (or god forbid an Adversarial Simulation) before you’ve established some baseline security activities within your own organizations’ departments, otherwise, you might just end up wasting money and time.
Start off with the basics like reviewing all usernames or passwords. You’d be surprised how many default credentials we find during Penetration Tests. If you’re about to put an application to the test, set off a day and do some basic code reviews. If you’re not using Parameterized Queries or Prepared Statements in your PHP code, then you might be in for some trouble.
Here’s a list of a few things you should do before even thinking about a Penetration Test:
- Do a Vulnerability Assessment (check above for popular tools! :)
- Review Access Controls.
- Review Security Software/Hardware configurations.
- Map out all Assets/Code.
- Read about OWASP/PTE
Allocate enough budget — Allocate enough time.
High-quality Penetration Tests are costly. This is because skilled professionals in this field are highly sought after and the amount of businesses looking to get their cyberspace tested is growing extremely fast.
At Sentry, we provide the cutting edge experience when it comes to offensive security. We bring in teams comprised of multiple offensive cybersecurity engineers, a project manager, and a number of technical consultants engaged part-time depending on the tech stack being tested in order to ensure the highest quality possible. The amount of time spent in engagements may vary depending on the engagement and the size of the scope, but three weeks is the bare minimum for most engagements, including reporting. Only calculating the cost per seat will give you an idea of what the bill certainly won’t look like.
If you’re reading this, then this might be the first time you’re about to bring in a Penetration Testing firm. If you’ve been offered Penetration Testing on the cheap or services done in 2–3 days, then it’s probably Vulnerability Assessments being sold as Penetration Tests, someone trying to fool you for your money, or you’re having the testing done by a few juniors with questionable skills. In either case, you certainly won’t be getting a Penetration Test.
Make sure you allocate enough budget (this may vary where you’re from) and give your experts plenty of time to test. The more of these two you have, the more you’ll be getting out of the whole exercise, and the chances that your security and data safety will be top notch are much higher. If you are having budget problems, contact us anyway maybe we can help you out :).
Clearly define scope and rules of engagement
If you want the Penetration Test to yield fantastic results then it’s most important to scope it well! You should know exactly what you want to be tested before you bring a firm in. Make a simple list of IP’s, URL’s Resource names, Networks, and so on in a presentable format. This will limit the test within scope but also help the Penetration Testing firm coming in understand how much time and what resources they should allocate for your test. Here are a few considerations from the Penetration Testing standard regarding Network Pen-testing:
How many total IP addresses are being tested?
* How many internal IP addresses, if applicable?
* How many external IP addresses, if applicable?
What type of technologies are being tested?
Are there any third party applications that will be tested as well?
The rules of engagement are also an important section where you deal with HOW the penetration test should be done. If you don’t want the app to be tested for Denial of Service (especially if you’re testing production!) then this is the time it should be brought up. Think of timelines, limitations, evidence handling, and reporting. Ask the firm how they handle them to get a clearer view of how their Penetration Testing process looks like. Here’s an example:
When does the customer want the active portions (scanning, enumeration, exploitation, etc…) of the penetration test conducted?
* During business hours?
* After business hours?
* On the weekends?
Plan for the worst
Things can break. It’s a Penetration Test. Any technology that will undergo a cyber attack can behave in unpredictable ways. That means systems can crash, you could lose data, users can get locked out, apps can break, and so on. However, this is one of the goals of the Penetration Test. It’s actually testing the resilience of your technology! If disaster does happen, It’s better to happen on your terms than attackers. This does not mean that you should not plan for a disaster case even though that rarely happens.
Firstly, make sure all your systems and data are backed up before engaging in a penetration test. You don’t want to be testing anything without proper backups and rollback capabilities. Doing this will save you tons of money and headaches in general.
Secondly, you should agree on Emergency Contacts. What if a production server breaks? The Pentesting firm should know exactly who to call in order to inform them of the outage, including managerial and technical staff, as well as provide them with relevant information that will help bring services back up. A Penetration Test I did a long time ago I ran a web crawler against a web application. Turns out, simply issuing a GET request in one of the links started a company-wide data migration without any warning, confirmation, or double checking. It was on Friday, at 4 pm. We managed to stop it from happening because we had clear lines of communication.
Thirdly, make sure you have a clear plan of internal communication with the rest of the company in case an attack gets detected. The last thing you would want is widespread panic in the office because someone’s account got taken over. In a previous engagement we’ve had, a company employee detected some suspicious activity in one of the hosts and decided to send a company-wide email with the subject “VIRUS ON THE NETWORK!”. You can imagine what happened next. It’s very important that there are proper mechanisms for incident reporting and notifications.
Read the Penetration Testing Standard
I highly recommend that you read the Pre-Engagement section of PTES over here. It’s a fantastic resource that will guide you in organizing a Penetration Test for your company even more. The list is quite comprehensive and should help clear out any missing pieces of the puzzle you may have.
That being said, I hope you enjoyed the article. Feel free to message me if you have a question or if you think I should add something extra to the article. See you in the wires.
