Three Actionable Steps To Take Following Your Penetration Testing

There’s a saying, if you keep doing what you’ve always done, you’ll keep getting what you’ve always gotten. The growing network complexity and security threats that you face mean you simply can’t afford to keep doing the same things with your security assessments. Take a few minutes to step back and consider what you are currently doing well, and what you’re doing poorly in the context of security testing. Think about the one thing that, if you focused on it to the exclusion of everything else, would help you make the greatest strides in your security program.

It's easy to forget the long-term purpose of vulnerability and penetration testing. No, it’s not about checking a box. It’s not about appeasing customers or business partners. Nor is it about meeting compliance or audit requirements. Instead, it’s about minimizing business risks. Sure, demonstrating due care in the eyes of others and meeting regulatory requirements is a nice side-effect of this testing. Still, it’s all about the business: finding weaknesses, acknowledging blind spots, taking the steps necessary to close the gaps, improving IT resiliency, and strengthening the overall business.

The thing is, there’s more to vulnerability and penetration testing than meets the eye. You must look beyond the traditional, sometimes hurried, process of test-report-repeat. If you wish to derive true value from your testing efforts, and keep people on board with your security program, there are three main areas to address beyond your testing:

1. Collect and analyze

How are you prioritizing your findings? Do you simply take your vulnerability scanner results and focus on the criticals and highs? Or, do you take a manual approach and assign priorities based on what you know (or assume) the risk to be?

The ideal scenario is to use the scanner rankings as a guideline but then use your knowledge of your own network, security wisdom, and common sense to balance things out based on what’s best for the business. Many people take this approach, especially when a third-party is used to perform this testing. However, I’ve found that many others are so covered up with work that they don’t have the luxury of looking past the vulnerability scanners to tend to the IT and security operations issues that are creating the vulnerabilities in the first place.

Furthermore, everyone seems to have their own idea of critical, high, and moderate-rated risks. One of the best questions you can ask is: What are our highest-payoff tasks? In other words, what vulnerabilities – if mitigated – will provide you with the greatest return on your investment?

Do what you can to bring these factors into your test scope before you get rolling. This will ensure that standards have been established and everyone is on the same page during the post-testing analysis.

2. Share and assign

Once you complete your vulnerability and penetration testing, your results can’t exist as vaporware. If vulnerability findings are not communicated well, they’ll have minimal impact and the risks will remain. Interestingly, I often come across vulnerability and penetration testing reports that never make it outside the IT department.

Again, if you’re going to obtain (and keep) buy-in on your security initiatives, your test results must be made known to all the right people. This includes everyone from developers and DevOps staff to legal counsel and executive management. Just remember that your findings need to be reported in terms that your audience(s) understand. This is especially critical for your report to management. Often, an executive summary report will suffice but it needs to have substance that they can digest. Spare the techie stuff but tie in specific findings where it makes sense.

In the end, recipients of your report need to be able to understand: 1) what the finding is, 2) what it impacts, and 3) what can be done about it. Ensure that priorities are understood, and that the appropriate person or team has taken ownership to see the remediation efforts through to complete.

3. Tweak your approach

Always dig further!

Consider these additional areas:

What new tools do we need to get better information in terms of security testing, visibility, and control? You’ll likely find that better endpoint protection, password policy management (such as what Specops Software has to offer), patch management and even network-level controls such as SIEM and CASB are needed. Your layered defenses are probably not as good as you think they are. Proper testing should uncover the big gaps. It could be that all you need are better security vulnerability and audit tools.

How can reporting be improved so that information is easier to understand and findings can be measured/tracked over time? This is big. Still, to this day, many of the vulnerability scanners and system configuration audit tools provide minimal value in terms of reporting. Ask yourself what is it that management is looking for that we didn’t get out of our reporting? What can be made better?

What processes need to be improved, adjusted, or stopped altogether? You’ll likely find many areas of opportunity, especially if you keep getting the same results or no results at all. Similar to the question above, what is it that management is looking for that you’re not getting out of your overall testing efforts?

What additional testing may be needed? It could be that you didn’t dive deeply enough into certain areas. What supplemental testing might need to be performed such as password cracking or detailed password configuration analysis, authenticated vulnerability scans, or even source code analysis? You could also integrate phishing with your tests, especially password testing. It’s frightening how easily users are willing to go beyond the click and give up precious login credentials when prompted in a well-crafted phishing email. You may need to change your rules of engagement altogether by performing authenticated testing, testing with and without security controls enabled and staff kept in the know. Something as simple as follow-up remediation validation testing within a specific time period can help keep things on track.

Instead of technical testing, you may just need to go with a higher-level of security review that looks more closely at the business side of things in areas such as:

Security policies that exist but are not fully disseminated, understood, or enforced
Vendor management gaps that are facilitating unnecessary flaws in terms of applications, network connections, and user access controls. This is especially common in the overreliance we see in SOC audit reports.
Information asset discovery and classification combined with the necessary protection to keep things under wraps.
Incident response deficiencies such as not knowing what constitutes an incident, how incidents are going to be contained and recovered from, and how breach notifications must be handled. It’s rare for me to come across an incident response plan, much less one that’s well-documented and tested on a periodic and consistent basis.

You may already be doing some of these. Others, not so much. The important thing is that you look beyond the measured act of vulnerability and penetration testing and flesh things out into a formal business program. You can go at this alone, but ideally, you need to discuss these things with your security team or committee. The goal should be to do look at your overall security testing program with a more critical eye, so you can shape this into a core function that the business cannot live without.

Odds are that your business is highly-dependent on the outcomes of your security assessments. You have to move beyond the mindset of “that’s the way we’ve always done it”. This means you must get started now and never stop improving. That’s different than just gaining more experience, often doing the same things over and over again. You can never have too much experience - as long as it’s good experience that you’re actually learning from.

Make sure you understand what you need before doing your security assessments. Technical requirements, business requirements, and even what’s expected from business partners and customers that will be reviewing your reports. Keep management in the loop so you can continue to foster those relationships as well. Without them, your security testing is of minimal value.

Being a successful security professional means being able to solve problems. There’s an opportunity to grow every time you test for security flaws, especially when problems arise. A true sign of security maturity is understanding that there’s always room to grow and get better. There’s a quote that says, Is this as good as you’re going to get or are you going to get any better? This is a great reminder that you do have things to work on. There’s always something additional that you can be doing. What is that? You’ll likely find it’s a lot of little things in support of what I’ve covered above.

About the author:

Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta-based Principle Logic, LLC. With over 30 years of experience in the industry, Kevin performs independent security assessments and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin can be reached at his website at www.principlelogic.com and you can connect with him on Twitter at @kevinbeaver.

February 18, 2019