Penetration Testing: Best Practices for Identifying Vulnerabilities
Posted by: Victor Wieczorek
There is a strange phrase we have all probably heard sometime in our life, “You don’t know until you know.” It’s odd because it’s a pretty simple statement that, when examined, is pretty easy to understand, but that doesn’t change how well it holds the truth. When we look at penetration testing, this statement rings true in all aspects. This is because a penetration test shows us what is wrong and what can be used against us.
First, what is penetration testing? NIST defines penetration testing as “… a specialized type of assessment conducted on information systems or individual system components when it comes to identifying vulnerabilities that could be exploited by adversaries.” These tests are used to take the point of view of an attacker and see how resistant your systems are to an attacker and if one could access your private information. This is an essential component of an overall information security strategy and program for an organization. Pen testing takes the concept of “what if” to reality by performing the adversary actions on the systems in play to prove their cyber resilience.
Now, not all penetration tests are created equal, and all should be evaluated for quality and that the test covers the proper areas of your environment. This evaluation of our pen tests should be something we are regularly doing and making sure that the actual test is good, and that the targeted vulnerabilities are current. This leads many of us to the question: What are the best penetration testing best practices to know in order to identify, address, and mitigate security vulnerabilities?
To ensure that we are getting the best possible results of our tests, we should follow some penetration testing best practices in the following areas:
- Objectives
- Methodology
- Skill
- Monitoring
- Remediation
- Lessons Learned
First and foremost, defining the objective(s) is crucial to any project, whether it’s a penetration test or a new security solution. This is among the most important penetration testing best practices that must be followed and defined for sanity and goals. We need to identify why the pen test is being performed, what questions we are trying to answer, the scope, the time allowed, and the budget. Penetration tests are used to help and can uncover skeletons in your security closet. This is why we need to take time in the beginning to prepare ourselves. Know what you are trying to achieve, since not all tests are created equal, it’s best to have a goal in mind so the testing team can perform the proper evaluation. Here are some typical concerns that drive penetration tests:
- “I want to see if we’re actually vulnerable.”
- “I think we’re vulnerable, but no one cares.”
- “I think our defenses are working but want to be more certain.”
- “I need help justifying this policy/procedure/tool/service.”
- I have regulatory compliance requirements for a pentest – NIST, HIPAA, PCI, FFIEC, NYDFS (23 NYCRR 500), and FINRA.
It’s crucial to determine any time and budget constraints so that you can have a fair idea of what they can accomplish.
Next, it is time to determine what type of testing should be done. Each penetration test has various components of its methodology that can be tuned and tweaked to meet budgetary constraints and answer specific questions. There is a time and place for a ‘full-scope’ penetration test. This often gives the pentester free rein to attack the environment based on their professional experience. This is also among the most important best practices to follow to help organizations that are new to pen testing or unsure about their security posture. However, it is often more efficient and effective to establish specific rules of engagement whenever possible. Options such as evasive versus noninvasive or blind versus full disclosure will have a dramatic impact on the results. For example, organizations new to penetration testing without much monitoring in place wouldn’t benefit from an evasive pentest where the pentester was trying to avoid detection. All that would do would slow the assessment down and significantly increase costs, forcing the pentester to be “low and slow” for no reason.
Now skill is a big part of the testing process and will define the outcome. This is also among the most essential penetration testing best practices with which to become familiar to drive budget and decision-making at many levels of a project. When you seek someone or a team to perform pen-testing, you need to ask for specific things. These include asking questions about methodology, references, how they provide reporting, and certifications. You are hiring them, so make sure that you are getting what you want in the outcome, and this starts with asking questions and requesting samples of reports. Also, never be afraid to ask for a reference, and if one is given, always follow up with them. If you don’t have the skill in-house to perform the testing, seek outside help, it will be worth the additional cost in the end to have peace of mind your environment is secure, and professionals do testing with experience.
With monitoring, this is where you watch and interact with the testing team. Remember that a penetration test is a simulated attack on your environment. You will get reports from the group performing testing, and if you let them just go without monitoring or using your security controls, your test will come back less than favorable. Use the testing time to put your security team and tools into action. Make sure that while the pen test is happening, your team is watching and noting the activity. This will lead to actionable intel in the environment and give you practice with the attacker mindset.
Remediate, remediate, remediate. This is when you have the results of your test, all the attacks that have happened, and your environment’s areas the team was able to compromise. With this intel, we can start to prioritize the vulnerabilities found and plan out how we are going to fix them. This is what the whole test was performed for; it would be a shame not to put such actionable intelligence into action. Remember when scoping to carve out time after the test for remediation and validation to ensure your environment is secure and your patching works. This is also a great time to look at your current security tools and see how effective they were in reporting the attacks and assisting your security team in stopping or identifying vulnerabilities and threats.
Finally, we come to the lessons learned. This is something that really should be done in all projects that you perform. This is when your team can come together and discuss what to do better next time and how to handle the environment more securely. Things to consider at this time would be asking if all of your goals were met during the testing process. If not, what to make sure is covered in the next test. Review the information you received and make sure that the vulnerabilities found are not present in other parts of the environment and that they were not already exploited by someone else. This is a great time to adjust processes and current plans, for example, does your Incident Response plan cover the discovered issues or take into account the tactics used?
Penetration tests are a useful tool to help our organization understand how an actual attack on your systems would look. There are many useful penetration testing best practices to consider when approaching the subject and should not be rushed. Take time to scope out the test, making sure you have all your goals defined. Get experienced people or teams involved in the testing process. Performing the analysis without proper experience and skill will result in an ineffective test, and will most likely not meet your set goals. Make sure to monitor during the test and audit after the testing to ensure your security tools are effectively alerting and helping your security teams. When the test is complete, remediate the vulnerabilities found and take action as appropriate based on the results. The test is performed for this reason, and these results should never be ignored. Lastly, we must take the time to look at the lessons learned. This is how our team and organization’s security gets better as a whole. Without these lessons, we just do the same things over and over. Remember that Pen tests bring to light what we don’t know about our environment and especially bring truth to the statement, you don’t know until you know.
For more information on our penetration testing services and choosing the right test for your organization. Check out our new White Paper: Examining Which Style of Penetration Test is the Best Fit for Your Organization.
About GuidePoint
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.
Contributing Authors
Victor Wieczorek, Practice Director, Threat & Attack Simulation at GuidePoint Security
Victor Wieczorek
VP, AppSec and Threat & Attack Simulation,
GuidePoint Security
Victor Wieczorek is an information security professional with a broad range of experience in both defensive and offensive security roles. His prior work included delivering various security projects to a wide spectrum of clients with a primary focus on penetration testing, social engineering and security architecture design. As a penetration tester holding both the Offensive Security Certified Expert (OSCE) and Offensive Security Certified Professional (OSCP) certifications, he has helped organizations identify a multitude of weaknesses with a focus on root cause remediation.
Prior to joining GuidePoint, Victor consulted for a global firm where he worked to mature and standardize the security assessment practice while leading various penetration testing engagements. Before that, he was a Systems Security Engineer focused on secure architecture design for multiple federal organizations. Victor has developed skills in effective communication with client stakeholders to detail security issues, illustrate business impacts, and consult on remediation efforts.
Victor earned a bachelor’s degree in computer and information technology from Purdue University and has held multiple professional industry certifications including Certified Information Systems Security Professional (CISSP), Payment Card Industry Qualified Security Assessor (PCI QSA) and Certified Information Systems Auditor (CISA).