Penetration testing is no longer an afterthought. Due to regulatory mandates, internal policies, business executive requests and the overall desire to avoid becoming the next breach victim, penetration testing is now commonplace among many organizations. The type of testing, however, remains a question. Do you need ad hoc testing, the as-needed event that takes place once or twice a year? Or do you need a managed testing program that is continuous and coordinated by an external or dedicated testing team?
With the exponential increase in cyberattacks and the historic shift to remote work, cybersecurity experts have had to step up preventative measures across the board. These preventative measures have evolved to include penetration testing as a routine part of the solution. Some security teams have been reluctant to implement a managed penetration testing program, instead opting for less frequent testing for several reasons, such as lack of resources and complexity of the network environment.
The best option for your organization depends on the number of tests you need to perform a year, the resources you have in-house and the skill sets that put those resources to use.
Whichever method of penetration testing you employ, there are ways to ensure that the testing is effective, and that security experts leverage the information and reports effectively.
How to Prepare for Penetration Testing
Regardless of the program used, there are housekeeping items to consider prior to a test. Before you dive into running an assessment, there are a few things you should do to get the most out of it:
- Determine the depth of testing: Decide how deep into the environment you want to examine.
- Schedule testing windows: Find a time that won’t disrupt your company’s schedule.
- Find and perform background checks: Test your tester! – Make sure the tester you’re using is reputable and reliable
- Create a virtual private network (VPN): Create a workspace – Setting up a VPN with separate accounts for testers keeps everything clear
- Establish rules of engagement: Discuss and establish boundaries for testers and communicate assets that are off-limits.
Once test results are in, there are a few more steps to take:
- Review the report: Understand the vulnerabilities and the associated impact.
- Facilitate remediation: Plan a course of action for remediating any risks found during the test.
- Schedule and perform re-testing: Schedule your next test to see how well the remediation worked and to patch any additional bugs if needed.
The pre- and post-testing checklists can overwhelm any security team. While these items may seem simple, in reality, they take time and require expertise to ensure everything is set up and completed correctly.
It may not seem like a long list of tasks but when done correctly, it can be a tedious process and sifting through the results can sometimes be a challenge. The testing and patching process can be made even more difficult when you have a management team looking over your shoulder and demanding results.
Imagine you are a company that is required to complete hundreds of tests each year by a certain deadline, for example, when an auditor is scheduled for a visit. Even if you have an in-house resource specifically dedicated to testing management, coordinating all of those steps for hundreds of tests can be impractical.
It may also happen that the person coordinating the testing is not a penetration testing expert, which can lead to important process oversights. If the person typically only manages the scheduling of consultants, and does not have relevant experience, they may not realize a tester needs a certain set of credentials. As a result, the hired penetration testers show up for the project but cannot begin, wasting company time and money.
Experience and expertise are also important factors when conducting testing. If the CISO doesn’t have much risk assessment experience, it is possible to miss important steps or processes that could leave you vulnerable, even after you implement the fixes. If you are hiring external testing teams, they may have to do the initial housekeeping for you, which will add to your costs.
Once the testing is finished, the person managing the testing program needs to work with the testers so that the team can understand and promptly fix the highest risk vulnerabilities. If the program manager lacks relevant experience, they may not understand what the findings mean and which actions to take to fix them — all while assets remain exposed to attackers for even longer.
Frequently testing produces a large volume of results and if your CISO doesn’t know how to read the results or how to prioritize the severity of the findings, it can seem like there is no way to remedy the vulnerabilities. The person managing the test must also have the experience to understand how to actually implement the fixes. This can be more difficult than expected, and the longer you take to learn to manage it, the longer your network is exposed.
Is Managed Testing for You?
The case for Managed Testing
If you are an organization like the one described above, one that must test hundreds of assets each year, a managed penetration testing program may be the best fit for you.
If you have an organization with many assets to manage, frequent testing may seem daunting – but it may actually be the right choice for you.
Under a managed program, your testing provider can handle the pre- and post-testing tasks, including prioritizing which assets need testing and determining the timing and depth of testing. It will also make sure the proper credentials, VPN access and other needs are lined up before the tests begin, and it can oversee re-testing to ensure that patches were applied correctly and that compensating counter measures were implemented. Think of your provider as the quarterback of your testing team — it will be in charge of calling and running the plays that get the ball to the end zone and afterward, doing it all over again.
Once you have your initial setup work completed and your assets are organized, the process can be streamlined to be much more effective and efficient than it would be if you were to go with an ad hoc approach. Once your team has run through the program, they will be better at spotting and acting on new issues.
You may also want to consider managed testing if you are working to align with regulatory requirements and lack processes or a governance structure. A managed provider can collect key metrics on a monthly or quarterly basis, report to executives and auditors, and help your testing program address the required compliance and security objectives. The provider can also enter the findings into a governance, risk and compliance (GRC) system, track your progress, and even automate the process so that you do not have to manually enter in the findings of hundreds of reports.
Another factor to consider is if your organization needs to align with outside regulatory requirements. These may be frequently changing and updating protocols that need to be kept up-to-date on a quarterly or even a monthly basis. Maintaining compliance can be streamlined if the process is semi- or fully automated.
Is Ad Hoc Testing for You?
The case for Ad Hoc Testing
If you do have seasoned penetration testing experts on staff, an unmanaged, ad hoc approach may be best for you, depending on the number of tests you perform a year. An experienced, full-time, in-house resource should understand the penetration testing process and the pre- and post-housekeeping items that come along with it. That team can get the testers cleared, provide the appropriate credentials, define the rules of engagement, schedule tests and lead the remediation process.
If your security expert has experience with conducting and executing penetration tests and bug fixes, you may be able to employ an unmanaged, ad hoc testing program without the housekeeping issues mentioned above. Someone who is familiar with the process can also determine the best candidates for outside assistance for the job if they recognize that they don’t have all or the necessary requirements or skills to perform the test and implement the results.
While hiring internally may seem less expensive on the surface, it may not be the most effective choice if you don’t have all the right resources to plan, execute and follow up on the job.
Questions to Ask During the Penetration Testing Process
How to Get the Most from the Testing Process
If you are contemplating a managed testing program or an ad hoc program, ask yourself these questions:
- Do our in-house resources lack actual hands-on penetration testing experience?
- Does our team have the experience and resources needed to run the test effectively?
- Do we have too few resources dedicated to a testing program to do the job properly?
- Have we allowed for the time and resources needed to remediate any issues that arise?
- Do we have too many people spending too much time on our testing program?
- Or have we dedicated too much time and energy to your risk assessment program?
- Is it a headache to get all of the pre- and post-testing tasks completed?
- Are we testing hundreds of applications a year or just a few?
- Have we needed to delay testing projects because our ducks were not in a row?
- Are we spending too many hours manually entering test findings into our GRC system?
If the answer to any of these questions is “yes,” then you may want to consider a managed program. Testing is an ongoing process that requires continual time, resources and attention, but as many successful businesses know, it’s a worthwhile investment to keep threat actors from getting the best of your organization.
This may all seem like a daunting process and overkill, but the investment in cybersecurity is a small price to pay to avoid the damage to your business professionally and financially if you are hit with an attack. It is always better to be safe than sorry.
RidgeBot Automated Penetration Testing
RidgeBot is an intelligent risk-based vulnerability management bot that automates penetration testing, making it affordable, with the ability to run at larger scales. It is modeled with a collective knowledge of threats, vulnerabilities, and exploits and is equipped with state-of-the-art hacking techniques.
RidgeBot acts like a real attacker, relentlessly locating exploits and documenting their findings. It works within a defined scope and instantly replicates to address highly complex structures. RidgeBot gives security teams the flexibility to do both ad hoc or managed penetration testing.