Keith Buzzard, Chief Security Architect
When arriving on site to undertake penetration testing, one very quickly gets a sense of how the local IT staff work. Sometimes we are greeted as a member of the team, coming in for a period of time. On other visits, we are treated very much like visiting auditors and provided only with the minimum resources necessary to carry out our task.
Of course, I can understand both approaches to a Penetration Tester arriving on site; for some, we are there to audit the team’s efforts to produce a secure network and for others to confirm that their job has been executed to the highest standard.
Penetration Testers aren’t there to judge
It’s important to note that we don’t see network security flaws as a failure of the IT team. We understand that there are many variables within a company, such as: insufficient resources, security risks that are often accepted as part of a cost avoidance programme, and sometimes a team isn’t necessarily aware of a potential issue as it sits outside their sphere of expertise. Either way, network insecurities are not a sign of a professional failure, but almost always of insufficient resources to provide the ideal solution.
Response #1: We’re glad you’re here
Like any department, the IT team must to do the best job possible within an allocated budget, while communicating the implications of these decisions to management above, who may not necessarily understand the threats. Sometimes this creates a situation where the local IT team will be extremely keen to point out problems with their own systems because they want to ensure that these are included in the report to highlight the risks they represent. As a Tester, working with teams like this is a joy because they clearly want to flag risks and make sure that the business is aware of the implications.
Response #2: We would prefer you weren’t here
Conversely, some IT teams will allow the test to take place but do not offer assistance, feeling that this better emulates a ‘real attacker’. Such an approach may be more realistic for an intruder, but unfortunately as a consultant we are rarely allowed the time required to fully simulate an attacker’s methodology. Providing the intimate knowledge IT teams have of their own systems can really speed up the process and ensure that nothing is missed, allowing time to delve into edge cases and provide time for professional exchanges.
The outcome of penetration testing
Regardless of how we are received, the outcome of the work is a statement of discovered issues and risks. One question that I’ve been asked by clients on numerous occasions is that if we can identify the risks, why do we not fix them as part of the consultancy? And this is one of the secrets of being a Penetration Tester. We can identify the risks, we can understand how the risk occurs, and we can provide advice on how the issue should be resolved. But often we lack familiarity with the administration of the products involved to execute these changes. Given time, we can certainly figure this out, but that’s an inefficient use of resources. More vitally, we lack the understanding of the business that the local IT team possess, and their expertise of the products in use.
Four tips to get the most out of penetration testing
A combative approach between ‘us’ and ‘them’ is inefficient because, ultimately, when a Penetration Tester has finished the engagement, it’s the local team who will implement the solutions that improve network security. For this reason, working together to explain to the IT department what the issues are allows them to ensure that their solution solves the problem and allows the business to benefit from the product specific experts that they employ.
1. Brief your IT team – There’s nothing worse than getting blindsided by an external provider coming to review network security. Communicating the when, why and how will ensure all parties are ready to work together.
2. Listen to your IT team – Your IT team are on the ground and can provide in-depth knowledge about systems and products in use. When providing a scope to your penetration testing consultancy, working with your IT team to do this will ensure the right areas are being reviewed.
3. Implement recommendations from your Penetration Tester – The vulnerabilities found during penetration testing—regardless of the criticality—offer malicious actors an opportunity to gain access to your network. Therefore, it’s important to take remedial actions as soon as possible.
4. Conduct penetration testing at least annually or after every significant change – Threats are constantly changing because hackers are always looking for new ways to gain access to a network. Much like getting an annual MOT on your car, a regular penetration test will keep your networks healthy.
How PGI can help
Penetration testing is an important element of mitigating cyber risk. Our experienced Penetration Testers have worked across a range of industries, finding vulnerabilities that can easily be missed in web applications and IT infrastructure. Help your IT department secure your business and contact us to discuss how we can make the process easier: on +44 845 600 4403 or email us at firstname.lastname@example.org