What to Expect After a Pen Test
Scott Worden* //
So you and your company had a pen test…now what? What to do, how to plan, and good SQUIRREL! ways to stay on track.
The 3 Stage of the Penetration Test
The TESTER |
The TESTED |
|
|
Having the penetration tester reach your crown jewels, get root, own you, pwn you, own3d, 0wn3d, pwned, pooned or whatever phrasing you use is NOT a failure. The point of a penetration test is to find where you are vulnerable so you can improve. There is no failing a pen test, with two exceptions. If you artificially insert preventions or react differently to the pen tester, you fail. If the same fixable finding shows up on multiple pen tests, you fail.
Your Penetration Test Is Done, Now What?
What do you do now? If you had a pen test just to check a compliance box or say that you had one, you are done. Bury that head deeper in the sand (even though, eventually it has to and will come out the other side). If your pen test has no findings, well, did you have an actual pen test or a vulnerability assessment? Were the people that performed the pen test competent? Did you let them test realistically? If yes to all that, then contact me, I have much to learn from you.
For the rest of us it is time to stop commiserating, put down the adult beverage and get to work. The following comes from my own experience, what I have seen and what has worked for me. It might not match with your scenario, the opinions of the company I work for, or of those with whom I work, but hopefully there are a few nuggets of wisdom you can extract.
Read That Report
Since the point of a pen test is to improve, the report needs to be actionable. Do you understand the findings? Can you recreate them? If not, contact the tester. They do not have to give you their secret sauce, there is a reason you pay them to do what they do, but they should be willing to share with you the basics so you can at least, partially, recreate the findings in your own environment.
Make That Plan
Next step is develop plans. Most of you are probably doers and want to jump right to making changes. No issue with that as long as you do not lose sight of the bigger goals: reacting to all the findings, improving security, and keeping systems usable. You might have a great idea how to prevent a certain technique only to have it also prevent the business from doing their job.
For findings you know how to mitigate, the plan is as simple as how to prevent (if possible) and detect. If you are not sure how to mitigate a finding then the plan is to perform research based on that to create a mitigation plan. Easy. Every finding should have a plan with a priority and if possible be assigned to someone with a due date. Do not stop at mitigating just one finding thinking, “Well, since I blocked how they got in we are good.” Any one prevention technique will only be bypassed by malicious actors as well as pen testers. Finally, put the plans and tasks in <insert you work tracking mechanism here> so that you can track to ensure they are done. Remember one of the ways to fail a pen test?
Made Plans, Time to Make Changes
Great, you have plans, time to start making changes…well maybe not. Do you have time to work on them? Do you need resources from other teams? Is there business impact? You need buy in from management, the people directly impacted and the people that will implement the changes. What seems to work is presenting the pen test results. For management, that might just be the report. For more technical people, walk through what the pen tester did. Show the steps, and how easy it was for the pen tester to gather tokens, move around the environment, etc. This tends to make more sense to technical people than just a report. In the end, a demonstration is worth a thousand words. Some companies might be apprehensive about showing their flaws and vulnerabilities; i.e. want to hide the findings in order to give the appearance of being more secure. To me, the benefits you get from demonstrating the findings to people affected by them or that can help you fix them far outweigh the risk. It’s amazing how these types of presentations have garnered interest and backing where I work. The more people you get interested in improving the security of your company the easier your job will be (or much much harder).
You might not like presenting, few people do, but this is your chance to shine, get buy in for the findings as well as try to get people interested in security. You will be presenting about something you (should and hopefully) enjoy. You might be surprised and enjoy the experience. Word of caution though, do not blow smoke. They will know. If you do not know something say so, and get back to them.
Start Small to Go Big
Great, now you can start making changes…well maybe not. There might be some plans that will require a lot of work and resources or have a large impact on the business causing management or other teams to balk at implementing them. One way to handle this is break the plan up into smaller tasks that are more actionable. Can’t change the length of all your passwords? What about just the critical ones (you do know them, correct?), IS, or just the Security Team (eat your own dog food!)? Trying to implement MFA? Same thing, start small, implement just for the critical scenarios then build upon your success. With each successful implementation the hesitancy should decrease. Whatever you do, once you start keep making progress, don’t let it drop.
Is That a Squirrel?!
Not letting things drop is imperative. I have found the security realm to be the worst when it comes to the squirrel effect. There is always another alert, the next super critical urgent task, the next creatively named malware, or new shiny tool. It is easy to let things you find less interesting slip and assume they will be handled by others. Step up, take ownership, and be the lead to getting these items mitigated to the extent you can. Can’t mitigate something? Detect it. Can’t detect it? Make sure you have visibility so you can hunt for it. Can’t get visibility? Make sure it is on a list to review in the future. We all know that things change in the security and computer world and a new method might be available in the near future.
You Got This!
A penetration test can be very frustrating and disheartening. Try to keep in mind the purpose: to improve and mature your overall security. To fulfill this purpose you must do your part by reacting and following through on all the findings. So, when you have your next pen test embrace the findings for the challenge they are and strive to defeat the pen testers next time. Just don’t roll a one.
______
*Scott is a guest blogger from undisclosed company. He works as a Security Engineer somewhere in the midwest and has his punch card almost full from attending BHIS webcasts.