Previously, we talked about the timing of pen testing. The optimal time to test something is before it goes to prod and once a year thereafter, unless there is a significant change which has the potential to significantly affect security. We also discussed in that article that white hat testing is the best method because most attackers have some kind of inside information on the business they want to exploit. But those aren’t the only considerations with pen testing. There are other considerations, which we highlight today.
One of the first things to note with pen testing is that you should always make some of your employees aware. You want to let them know to be on top of their game at work with security protocols, but you also want everyone to have a way to flag that these are innocuous security incidents. Flagging the incidents allows your security team to know that this is part of the test and they don’t need to take action against it.
However, you can also use the pen testing process to check your incident response. In this case, you would not tell your staff that the test is happening because you want to see how your security team responds to an attack. How long did it take them to notice? What was the first thing they did? Did they isolate the infected machine from the network and leave it connected to the broad internet, or did they pull the plug? Where are areas of opportunity or did everyone do exactly what they were supposed to do?
Ideally, someone higher up in the department should know that this test is happening and quell the response at some point. You don’t want to burn capital and risk missing real incidents, but it is possible to utilize a pen test for this reason. It will ensure your security team is responding appropriately to incidents.
The most important consideration during the pen test process is watching for and learning patterns in what comes back from a pen test. This is also true for security audits, learning the patterns is important. What are the patterns of vulnerability? What is being done poorly over and over? What are the patterns of escalation? What can you expect from the attackers? What is new that wasn’t previously accounted for when your system was built? Which is why annual pen testing is important because you’re not rebuilding your entire system every time you do an update, but attackers change their tactics on a regular basis. So what’s new and different that now needs to be addressed?
Looking for those patterns and escalating them, especially those around authentication, credentialing and authorization. Looking at the core of least privilege, IAM controls and other fundamental security protocols and seeing what patterns are around those processes will help secure your app, your systems and your network.
Really, the biggest thing to know around pen testing is doing it before an app goes to prod, ensuring it’s safety before you put it out there. Doing testing annually (at least) in prod to make sure there is no significant difference in that environment is also crucial, but you don’t put a lock on a door and hope it works for a year before you try it. Businesses should ideally know what’s going on with their app or feature before it’s put into prod, especially if it’s a high risk system.
As long as a system is in an environment with parity, it doesn’t matter if it’s actually consumer facing or not when it’s tested, as long as the testers have what would be consumer facing access. It’s definitely better to have them pop it with consumer facing access and example data than to pop it and have actual consumer data stolen. Once it’s in the wild and it’s real data, it may not be the pen tester who gets there first.
One final note about pen testing is that sometimes the test will originate scenarios where it is likely that you have been infiltrated. Maybe you missed a patch and some bot is on the loose hitting easy targets. Then you need to look at whether those scenarios are serious and need investigation to see if there was a breach. If there was, is it still going on or is it over, have you been hacked in the past, are there more incidents that need investigation and what is the impact? Pen testing creates awareness, especially if you learn the patterns. Once you have that awareness, it’s important to recognize where to put your energy. You certainly don’t want to investigate an incident that had zero impact, you do, however, want to investigate an incident which exposed information.
Pen testing is an important practice and it’s definitely one you need to hire an outside source to complete. But don’t just walk away from your tester, make sure you look at their findings, have them help you learn to recognize the patterns and show you where vulnerabilities lay. Be an active participant in your business. The more you know, the more successful you will be.