Penetration Test – Expectation Vs Reality

Figuring out what actually constitutes a penetration test can be a surprisingly tough question to resolve. Between scanning vendors exaggerated claims and a misunderstanding of what real-world penetration testing can produce, it can take a CISSP to untangle the details. However, by the end of this post, you’ll know what real-world penetration testing ought to look like and a few of the considerations you should discuss before hiring a firm like Open Security.

Myth 1: Testing like a “real hacker”

Thanks to Hollywood, the most common view for any activity even tangentially related to “hacking” is of elite kids blasting past firewalls on skateboards. Unfortunately, the real job is much less dramatic, and far more importantly for you as a client, time consuming. Very often, tests will be scoped to a couple of weeks, or even just one. Given enough time, every penetration tester worth their salt will confidently claim they can bypass any defense when allowed to use any technique. Not many will say the same when boxed into only a week, with significant limitations to avoid social engineering or affecting production.

Help us help you by providing initial access to your network or application administrative back end at the beginning of your engagement. Time not spent trying to bypass defenses like firewalls and intrusion prevention devices is time spent enumerating risk. Giving such access doesn’t have to mean the scope of the engagement can’t include your perimeter. Still, it will dramatically speed up testing time by allowing us to properly vet the risk of any vulnerabilities found. Additionally, inside access will allow our testers to prove out what your worst case scenarios are in the case of a breach, ranging from leaked personally identifiable information to ransomware.

Myth 2: Our Vulnerability Scans are Penetration Tests

Many products on the market claim they can provide you an accurate assessment of your network or application. However, scanners are always limited to the signatures provided by vendors and the community. These tools will often miss even well-known vulnerabilities because of this; unless the tool has a perfect match, it can’t possibly know a service is still vulnerable.

Most importantly, a vulnerability scan cannot provide the full context of risk associated with any given vulnerability. The critical and low severity vulnerabilities that these tools report are too generic to be useful to every single organization that utilizes them. And rarely can a scanner realize that certain combinations of vulnerability can add up to a critical situation.

A proper penetration test will cut through all this uncertainty. The provided report will contain the necessary context to show why a critical vulnerability truly is critical, or which lows can allow a threat actor far more access than a scanner believes possible. Thanks to hands on verification, all the findings in a report will accurately reflect the state of your network or application. No false positives to sort through here! Reports will also come with the steps necessary to resolve any discovered issues, helping both management and IT determine the best order to tackle the hard problems that may appear.

Myth 3: Report Delivered; Testing Complete

Speaking of providing remediation, a penetration test shouldn’t end for you when the report is delivered! Plans should be in place for fixing any major issues discovered from the penetration test. This often will include roping in developers, IT, and management to coordinate the fix together. Open Security will also continue to provide support with any remediation-related testing, verifying the fixes that are put into place.

Depending on the style of engagement you request, there may also be lessons learned meetings with both Open Security testers and various parts of your security organization. Showing your Security Operations Center how we moved without being detected, or vise versa, is often the most insightful part of this entire process and shouldn’t be ignored.

Reporting also can provide you with a way to cut through the market speak and see what the various penetration test vendors will actually deliver. Ask for an example report, and review it critically to make sure the contents aren’t just a copy of a scanner’s output. A great report will provide you with both context and next steps.

Myth 4: Compliance = Security

Many of our customers have to deal with various compliance regimes, such as HIPAA and PCI. While both of these have various security mandates, they often do not reflect the industry’s current state.

For example, the first PCI requirement states, “Install and maintain a firewall configuration to protect cardholder data.” While this is very sound advice, it is also the bare minimum of what a business can implement to protect its networks. Nowhere in PCI does it mention utilizing tools such as Intrusion Detection/Prevention Systems, Data Loss Prevention, or forcing all outbound traffic through a proxy system for further inspection. Nor is there any mention on utilizing active countermeasures such as honeypots and honey tokens, poisoned documents, and directory labyrinths. As a side note, if this is your first time hearing about offensive countermeasures, check out a phenomenal talk from our own Matt Toussain on the topic:

All this is to say, you can avoid implementing basic tools such as a SIEM for log aggregation and still be within PCI compliance! While the various compliance regimes may provide your business with legal cover in the case of a breach, that won’t be of much help to your reputation with your customers. A great penetration test can provide you with both peace of mind and the next steps necessary for your organization to be truly secure.

Wrap Up

Finding a great penetration test firm can be challenging. It is even tougher when many vendors are making misleading claims on what they’ll provide. At Open Security, you’re always guaranteed a professional team of testers who will work with you before, during, and after your test. We pride ourselves for both our first-in-class engineers and first-in-class customer service. Don’t just take us at out word; please reach out if you’d like to discuss your needs further or want to see an example report yourself!

Be ready for cyber threats