Security testing is an invaluable tool to help understand the effectiveness of your security strategy.
But it doesn’t come without challenges. Despite the importance of penetration testing, many businesses struggle to maximise the value and effectiveness of the service.
We believe that every business deserves to have complete confidence in their security strategy.
Which is why we want to shed light on the top challenges we see from the pen testing frontline.
Do you want to overcome these challenges and maximise value and ROI for your next penetration test? Read on to find out more!
Challenge 1: How clearly defined is your pen testing scope?
Penetration testing should be performed regularly to uncover security issues (learn more here about how often to perform penetration tests). It is an intensive process, involving hands on analysis and a range of testing tools. But some of the most crucial work happens before the testing starts.
The scoping phase shapes the success or failure of the entire test. With so many areas of your business to test, it is easy to fall into a trap of creating a scope which is too broad.
With ‘scope creep’ you often fail to focus on high priority areas.
The tester may not have the time to do an in-depth evaluation of your systems or data security, resulting in surface level insights.
The best way to overcome this is by following a threat modelling approach. This will help you understand the threats you face and your biggest security risks. You can then focus testing around these key areas.
Another reason ‘scope-creep’ becomes a challenge, is when a scope was established before the test starts, an ‘Authorisation to Proceed’ is signed by the customer, but when it begins, they want to include additional areas in the test.
There are several reasons why this is problematic. First of all, penetration testers are legally required to get signed consent to test systems before proceeding.
This should outline exactly what networks, systems and applications are included, testing outside of these defined parameters is breaking the Computers Misuse Act.
Secondly, a scope is used to establish how long the test, analysis and reporting will take.
If additional time is needed, this can lead to additional costs which aren’t budgeted for further down the line.
A clearly defined scope means outlining what you want including in the test, but also what you don’t want.
For instance:
- Are you happy for testers to exploit vulnerabilities, which could lead to service disruption?
- Can the test be carried out in normal business days and hours?
- Has your team been informed of the test?
- Can we use social engineering methods to gather more information?
- Are there certain applications or networks you want to exclude?
- Are you looking for a vulnerability assessment (which involves automated testing) or a penetration test?
Establishing clear rules of engagement ensures that testing goes smoothly, without network disruptions or misunderstandings.
So how can you overcome this?
Before developing your scope for your next pen test, it’s helpful to consider where your most critical data is stored (not just an application or your internal network). A narrow scope will lead to limited insights.
Think about your overarching security goals and the realistic threats you face. You can then create firm parameters that will lead to valuable insights.
Here at Equilibrium, we run scoping workshops before each of our pen testing engagements. We encourage all relevant members of your team to attend. These sessions allow us to gain insight into your business, understand high priority areas and gather the information required to create a well defined scope.
From the outset, we ensure we’re on the same page. Before requesting the ATP to be signed, we confirm that everyone is happy with the testing parameters. We also make it understood that we are only able to test the areas within the signed document.
CREST Penetration testing challenges 2: Holding back on exploiting security holes
When exploiting vulnerabilities, there is a risk of disruption to business operations.
Some customers are concerned about the impact of a test and would prefer a more reserved approach to ‘hacking’ their systems.
But in a real-life, would a hacker hold back?
The aim of a security assessment is to identify high risk weaknesses and if a hacker could exploit them. But without simulating a real world attack you won’t get realistic insights.
Luckily there is a way of achieving a middle ground. If there is no way of testing your live infrastructure, it is possible to set up test environments. These allow ethical hackers to ‘let-loose’ and test your systems without restrictions.
Penetration testing pros and cons challenge 3: Implementing pre-requisites and providing technical information
To ensure a test goes smoothly and to prevent delays, technical information and access is needed in advance of the test.
If test accounts, IP addresses, network information, access credentials and any other information is not shared in time, we are unable to proceed with testing.
There are also certain pre-requisites which need to be implemented before a test.
These are outlined in a documented Statement of Works. They can vary from test to test but are imperative to the smooth running of an assessment.
Often, we discover mid-test that pre-requisites aren’t fully implemented. This can lead to testers spending more time troubleshooting rather than delivering the purchased service.
Which can also have a knock-on effect on meeting important timeframes.
How to overcome this?
We like to make allowances for wait times and delays. We understand that it is not always straightforward when departments who control networks and security systems are based overseas, or maybe you have a third-party provider who manages this.
We aim to schedule kick off calls a few weeks in advance. We encourage all relevant parties to join so that we can help facilitate a smoothly run service from scoping, planning, to testing.
To ensure your test can go ahead as planned, it is important to request access and gather technical information early in the planning stage. This way we can stay on track with your key timeframes.
Down sides of pen testing challenge 4: Scoping to a budget
There are many objectives you would like to achieve, but the funds available won’t cover the level of insights required.
So, what is the solution?
We can provide a pared back service, but this won’t provide the same meaningful insights, it will be more of a ‘tick-box’ style assessment with a limited view into your security effectiveness.
If your budget isn’t flexible, prioritise your biggest risks. We can then design a more in-depth review around these areas, and your money is better spent.
Ethical hacking challenge 5: Have open dialogue with security testers
Our penetration testers often find they spend time working through a bug. After the test is complete the client will say “we are aware of that one it will be fixed in an upcoming release”.
If there are known bugs on your systems which are scheduled to be patched, make your tester aware before the test begins. This way they can focus their time on finding and exploiting unknown security weaknesses.
Another thing we find is that clients aren’t always open with testers about their biggest security concerns. For instance, if you’re an insurance firm, your threat model probably includes attackers that are trying to exploit industry specific systems and processes.
Tell your pen testers:
“Hey, this functionality is something we’re specifically worried about, if someone was to get to this particular column of the database, or able to view this part of the app as a particular user type, that’d be bad news for us”.
Although there can be penetration testing problems, the benefits of pen testing far outweigh them.
Careful planning, communication and understanding your key security risks can help you get the most out of your next test.
We like to think we run our testing services like a well-oiled machine. We’re always looking for ways to hone our processes, sharpen our skills and dig deeper on scoping calls. Providing surface level insights isn’t enough for us. It’s our job to get to the nitty-gritty.
To ensure your next pen test is plain sailing, work closely with your penetration testing supplier to address these challenges.
On the lookout for a trusted UK penetration testing company?
If you would like to chat to our team of experts, you can call us on 0121 663 0055, start a live chat or email enquiries@equilibrium-security.co.uk.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.