We here at True Digital Security conduct quite a lot of engagements around penetration testing, or "Pen-Tests". Usually this testing is driven by compliance requirements like the Payment Card Industry (PCI) DSS or security audit requests from potential new clients. Unfortunately, penetration testing is perhaps the most confusing and misunderstood type of security engagement. Don't quite know what I mean? Try this little experiment: Google for "Penetration Testing" and try to determine the scope, and more importantly, the goal of a penetration test. Go ahead, I'll wait .... Confused yet? The vast array of methods, styles, and differing goals can be overwhelming. Even security experts themselves don't agree on what the purpose or goal of a penetration test should be.
If experts don't agree on penetration testing, how can we expect clients and customers to understand how this type of testing leads to increased security? If you have ever created an RFP for penetration testing services, you will have seen the vast differences in vendor's scope, methodology, and pricing. Since penetration testing is fairly undefined, there exists a myriad of testing "styles". Internal vs. external, network vs. application, white box, black box, gray box, red team, tiger team, fuchsia team. Ok, I made that last one up.
The point is penetration testing is not a one size fits all solution. Each engagement should be custom tailored to your organization. During the vendor selection of your next penetration engagement, include vendor flexibility in your evaluation and make sure they take the time to really understand your needs and goals. Leverage their expertise to define a custom penetration testing style and methodology that will provide the most benefit to your unique infrastructure and organization.
Now that you have a vendor selected who has designed a penetration test for your organization, it's time to actually conduct the penetration testing. Whatever style and methodology was designed for you, at its core, penetration testing is about ethically hacking or attacking your organization's security controls. Your security program has put in place security controls designed to reduce organizational risk and protect against potential threats. The penetration test should evaluate and test those security controls in order to measure their effectiveness.
One aspect of penetration testing that is rarely discussed is the role of the client during the engagement. Many clients simply schedule a window of time in which to conduct the engagement and wait for the final report documents. In my opinion, this is a missed opportunity to greatly increase the value of your penetration test. Additional benefits and value can be realized by playing an active role and being engaged throughout the engagement. Below are two areas where being an active participant can increase the value from your next engagement.
1. Treat the engagement as a live-fire opportunity and conduct active response.
- Actively attempt to defend and prevent the vendor from gaining access. View them as you would any outside attacker.
- Implement your CSIRT (Computer Security Incident Response Team) procedures and treat this as a live exercise for them. Do they respond properly? Do your procedures provide adequate coverage?
- Conduct and evaluate your incident response plan. Were any gaps identified?
- Did you have the visibility to respond to the attackers? What steps can be taken to increase that visibility?
2. Map the engagement to your security controls and evaluate their effectiveness. Ask questions about how and why the controls succeeded or failed.
- Did your IDS system detect or prevent the access? Why or why not? Do the rules need to be tuned? Do additional rules need to be created? Was it monitoring the correct networks?
- Did your firewall stop the intruders? Why or why not? Do the rules need updating or tuning?
- Did your log monitoring solution alert the right personnel? Were the right logs captured for your incident response? What logs did you need?
- Did your file-integrity monitor perform as expected? Did it detect or prevent the compromise?
- Were your policies and procedures properly followed? Did they provide meaningful guidance and direction?
- Were your employees properly trained? What training areas need to be addressed or refreshed?
These questions and activities are just a sampling of the benefits that can be obtained from participating in your penetration test. At the end of the day, many clients only view the penetration test from a vulnerability standpoint. They want to know what vulnerabilities were discovered so they can patch and move on. While correcting vulnerabilities is always an important remediation step, by playing an active role and custom tailoring the testing to your organization, you can get the most value from your next penetration test.