All CISOs know at least one story of a penetration test that went wrong. And many of them can share stories of penetration tests that went deeply wrong.
For this reason, it is a worthwhile exercise to take account of best practices in managing such engagements. This is important for modern enterprise security teams given the prominent role penetration testing plays in the typical risk management equation.
The following tips – presented as a Top Five Tip Countdown – are culled from penetration testing experiences in different settings, environments and sectors. Each tip is intended to help the security team optimize the value of the testing while also reducing the possibility that something might go wrong.
When you consider that penetration testing involves hacking your own assets, it becomes clear why proper management attention is so urgent.
Tip #5: Develop a close relationship with the penetration testing team.
Penetration testers are given special access to your systems and infrastructure, so they will necessarily obtain unique insight and understanding of your unique weaknesses. Developing a trusted relationship with test team personnel, especially external consultants, is an excellent way to minimize the risk of improper handling of this sensitive information and knowledge.
Tip #4: Stay involved in the details of any penetration testing process.
Black box ignorance of the details of penetration tests is a symptom of either negligence or insufficient technical backgrounds amongst the supervisory teams. Take the time to understand the tools, techniques, processes and findings of the penetration testing engagement, and you will find that your insights and ability to turn results into meaningful action will increase dramatically.
Tip #3: Develop clear boundary conditions for penetration testers.
The nature of penetration testing involves creative exploration in search of unexpected functionality or conditions in a target system. Unless testers understand clear boundaries (such as never to perform a denial of service attack on any production system), then the possibility arises that the testers might go too far. It is the responsibility of security managers to ensure that this does not happen.
Tip #2: Use penetration testing to show the presence of flaws.
A powerful technique to get the attention of business units or managers who refuse to acknowledge the importance of good security is to expose a vulnerability that ties directly back to their own systems or applications. When presented with clear evidence of vulnerability, many teams get security religion quickly, and the result can be smoother engagement on activity for which their cooperation is needed.
Tip #1: Never use penetration testing to demonstrate the absence of flaws.
Perhaps the worst mistake that managers of penetration test activity can make involves mistaking penetration test mitigation of a set of discovered flaws with the removal of all flaws. Penetration testing – like all testing – is great is showing the presence of errors, but is a terrible means for proving their absence. Never confuse fixes to some penetration test-obtained flaws with security. This is a rookie mistake to avoid at all costs.
About the Author: Dr. Edward G. Amoroso is Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of major organizations across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016. He was elected an AT&T Fellow in 2010.
Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-nine years, where he has introduced over three thousand graduate students to the topic of information security. He is also a Research Professor in the Computer Science Department at the NYU Tandon School of Engineering, and a Senior Advisor at the Applied Physics Laboratory at Johns Hopkins University. He is author of six books on cyber security, and dozens of major research and technical papers in peer-reviewed journals and conference proceedings.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.