
Copyright: / 123RF Stock Photo
Paying someone to hack your own organization may sound preposterous at first. But, done properly, so-called penetration testing can help your organization improve its security. Due to compliance requirements, regulatory mandates, or a business need to better manage risk, an increasing number of organizations are turning to penetration testers with a goal of improving security. But not all penetration tests are created equal.
To really shine in business value, here are 5 items you can ask your pen testers to provide in their report.
1. Action items that help you better manage risk
Pretty much every penetration test report includes specific recommendations for addressing each discovered vulnerability. That’s all good and useful, but ask your penetration testers to group various findings together so you can manage risk more systematically. Instead of playing whack-a-mole with individual findings, have the penetration testers discuss how groupings of findings might be related and can be addressed through process and procedure alterations on top of individual technical fixes. That is, most technical vulnerabilities are actually the result of a process problem. Fixing the individual tech issue is just a band-aid and will recur if you don’t get to the root cause of the problem.
2. Comparison to similar organizations
Ask your penetration testers to report on how your organization compares to other similar organizations. Is your security better than, worse than, or about the same as your near peers? Discuss with them their experience in testing organizations in your industry, groups similar in size to yours, and organizations with similar threats. Pen test companies with multiple customers in your industry can help you understand how your security posture compares with others. In-house pen testers (your own employees) can go even further, comparing the results of various business units to help differentiate those that are relatively more secure versus those who are less so.
3. Positive findings
Surely, you are doing something right. Most pen test reports, however, deal exclusively in the negative, indicating vulnerabilities and making recommendations for fixes. Insist that your pen testers include at least some positive findings so that your organization knows what it is doing right and can continue those practices. Also, having a spoonful of sugar in the pen test report can help make the medicine of fixing the significant problems go down more smoothly.
4. Help with prioritization
Most pen test reports rate findings as High, Medium, or Low risk. But where do you start implementing your fixes? Well, at high-risk findings, of course. But, if you have a dozen high-risk findings, which of those do you work on first? Pen testers can help by providing not only an indication of the risk impact (High, Medium, or Low) but also an estimate of the ease of exploitation (again, High, Medium, or Low). That way, your organization can prioritize fixes for the highest impact findings that have the highest ease of exploitation for a would-be attacker.
5. Techniques for verifying a fix is in place
Your pen testers can provide even more value in their report if they include a description for how to verify that your operations team has made a proper fix to each finding. For example, in addition to making a recommendation for an individual technical problem, your report could include brief instructions on how to check the fix, by verifying that a patch is installed, that a config change has been made successfully, or that certain filters are in place. That way, your ops team can itself check to ensure they’ve made the desired fixes, giving them more insight into the solution. Now, not every finding in a pen test report lends itself to this kind of step-by-step remediation checking. For example, some significant web application vulnerabilities, like cross-site scripting or SQL injection, may require a more detailed re-test by a skilled pen test expert. But, many fixes can be checked by competent sys admins armed with the right advice from penetration testers.
These 5 tips can help your organization get even more value from its penetration tests. It’s important to recognize that each tip involves the penetration tester going the extra mile in supporting your business from a risk management and operations perspective. That extra business value may require more time from penetration testers, and could increase the cost of the project. But, in the end, you’ll get more actionable, meaningful pen test results that help improve your security stance over the long run.
Very educational Mr. Skoudis. I also really liked your presentation for HackFormers especially talking about your day and how you keep up with security. Thank you.