“What should I expect during my first penetration test?”
If you have developed a new working relationship with a cyber security firm, this is a question you’ve probably asked yourself a time or two. Having a penetration test is a crucial first step in protecting your organization from malicious cyber attacks. Unfortunately, with so many misconceptions about this topic, you may be unclear about what exactly a penetration test is and how they are performed. In this article, we will help dispel that confusion by addressing:
- The most common parts of a penetration test.
- What you can do to make your pen test run smoother.
- How you can maximize your test to produce more value for your organization.
The first step to protecting yourself and your business starts with a discovery call.
The Discovery Call
Before any firm can comprehensively examine your environment, they must first understand your technical infrastructure. Much like a surgeon needs access to your medical records and health history before surgery, your cyber security company will need more information about the technical underbelly of your organization. That way, they can get a clearer picture of the technical side of your operations and develop a penetration test plan that meets your goals.
Speaking of goals, it is imperative that you, as the customer, define the goals you are looking to achieve with a penetration test. What are the driving factors present that necessitate a penetration assessment? Having served a wide range of clients in both public and private sectors, Tandem Cyber Solutions has found a few common penetration test drivers, including:
- HIPAA Regulation
- SCIDSA Regulation
- New Company Acquisition
- New Security Program Implementation
- Proposal and contract requirement
Having clear-cut drivers on hand for your discovery call will help your cyber security firm understand the goals that you need to meet. Doing so will help your pen test be as effective as possible. Unclear drivers can affect how your consultant conducts their assessment and writes their resultant report.
During your discovery call, have an informed member of your team present to answer any technical infrastructure questions.
During your discovery call, you can expect to speak with your cyber security consultant about your operating systems, network layouts, and software. For easier, more efficient dialogue, we recommend having an informed member of your team present who can help answer technical questions about your company. Having such a person in place will help expedite your penetration testing and prevent the potential for miscommunication.
Note any finicky systems on the network to prevent potential headaches from system downtime.
As part of this initial discovery call, your cyber security expert will also note any potential tripwires or systems that need to be handled with extreme care. Older, less resilient systems are notoriously finicky and can cause a heap of headaches for both you and your consultant. However, with careful planning, specific testing times, and a knowledgeable staff member to connect with, you can avoid these frustrating pitfalls.
An experienced cyber security firm will also want to know about any systems in your company that drive revenue. These systems should be documented and handled with care so as not to impact your operations. After all, the job of a cyber security consultant is to prevent a catastrophe, not cause one. Don’t be afraid to speak up about protecting the systems that pay your bills.
The overall goal of your discovery call is to give your pentester a clear understanding of your environment. Doing this gives your consultant more time for testing, which allows you to get more value out of their services. At the end of the day, remember to be prepared, be proactive, and be ready to answer technical questions about your company’s systems and technical infrastructure.
After your discovery call ends, it’s time to give your cyber security firm legal authority to hack into your network. That may sound suspicious to uninformed ears. However, as you know, this stage is where the magic begins, and your company’s vulnerabilities are exposed.
No one contract will ever be the same, but you can expect a few common sections:
- A statement that you are the owners of the equipment being tested.
- A statement that you give your cyber security consultant authorization to conduct tests.
- A list of activities that make up the assessment.
- Scope of Work – what are the targets?
- Rules of Engagement – how will testing be performed?
- Pricing and Payment Terms.
- Deliverables – testing report, Executive Summary, etc.
Every aspect of your paperwork and contracts is important. With that said, you should pay special attention to the following sections:
Penetration Test Scope of Work
When signing your paperwork, go over your Scope of Work with a fine-tooth comb. This section will let your consultants know which systems to test and not to test. Be sure to include every target that should be tested so that no key systems are missed. Being specific and forthright about the targets you need tested will save you time and money in the long run.
Penetration Test Permissions
Make sure you get permission for your consulting firm to test your desired targets. Without permission, your cyber security expert could face legal trouble. It’s not a bad idea to triple check this section to avoid legal issues. Nothing stops an in-depth penetration test quicker than legal action.
Penetration Test Rules of Engagement
Another area to pay special attention to is the Rules of Engagement section. This necessary paperwork will dictate how your testing will be performed and should be different for every pentesting consulting firm. Common Rules of Engagement for your consulting firm will include how you and your consultant will communicate, when you will communicate, and how your consultant will conduct testing.
Penetration Test Deliverables
In this section, you should specify in your contract what deliverables you need. For example, if you own a company and expect to sell it to an equity firm, you may only need an Executive Summary. If you must adhere to regulatory requirements, you may need a detailed report and an Executive Summary. The important takeaway here is that you list these deliverables in your contract. That way, your consulting firm knows precisely what to include in your report.
If everything is done correctly in the steps above, the testing phase should be easy, like Sunday morning. Depending on the terms in your contract, testing will last several days. At Tandem Cyber Solutions, our assessments range from 24-hours of testing to upwards of 80.
During the testing phase, your consultant will use tools such as network and vulnerability scanners to gather info about your environment. They should also exploit your systems. By manipulating your company’s systems, your consultants are mimicking real-world cyber threats. Actively exploiting your systems lets your consultant discover more vulnerabilities by viewing your network through different vantage points.
Tandem Cyber Solutions Pro Tip: Before testing commences, confirm with your consultant that they actively exploit your systems. Unfortunately, some unprofessional cyber security firms will market a vulnerability scan as a penetration test. A vulnerability test is only a small part of the penetration testing process.
During testing, your cyber security expert should document any attack paths discovered along the way. This includes not only the successful paths but also the partially successful attack chains.
Documentation should include:
- The techniques that your cyber security consulting firm used.
- The vulnerabilities that impact your security.
- Suggestions on how to remediate those vulnerabilities.
One of the last phases of an assessment is reporting. Expect the reporting process to last anywhere from two weeks to a month. Your report should be lengthy and consist of multiple sections like an Executive Summary, Summary of Findings, Detailed Findings, and Attack Chains.
A month-long turnaround time might sound extreme, but keep in mind the nature of these reports. A proper report should be anywhere from 30 pages to well over 100 and contain a wealth of information for your IT team. Your technical team will need this info to ensure all appropriate fixes are made. Add to that the fact any worthwhile cyber security firm will have a peer and technical review process in place. That way, your report is returned error-free.
Your report will be long, but don’t feel like you need to read the whole thing. You can jump to the Executive Summary, which will provide highlights of how your company fared in its assessment. This section is often what the CEO, partners, and other key stakeholders need to see.
Delivery and Debriefing
The most important part of this process is getting the report to you, the customer, and discussing the results. A good consulting firm should take the time to explain the most important details to you based on the goals of the assessment.
By the end of the debriefing, you should have a clear idea of your organization compared to others in the industry and what you need to do to improve. During this phase, it’s encouraged that you dive into any parts of interest. This is your environment, after all.
This last section isn’t always included in an assessment but is important if your goal is to increase overall security. Retesting is exactly what it sounds like – retesting your environment.
The biggest purpose in terms of retesting is to examine the remediation efforts your team. Your retest should be scheduled one to three months after the delivery of the report and after your IT team has had time to implement appropriate fixes.
Prevent. Protect. Prevail.
Data breaches have far-reaching consequences. They affect your company’s operations, compliance, and financial stability. The average cost of a data breach is $3.86 million – a scary statistic that shows just how sophisticated malicious hackers have become. These people are no longer just dorm-room pranksters looking for kicks. They are powerful and destructive. Thankfully, a comprehensive penetration test will help strip them of that power and put it back in your hands.
A famous man once said, “The way to get started is to quit talking and begin doing.” This quote rings especially true when it comes to protecting your networks, systems, and software. If you are worried about your organization’s weaknesses, the time to take action is now. Don’t let the bad guys exploit the gaps in your security – equip yourself with the critical insights needed to protect your most important assets.
At Tandem Cyber Solutions, our penetration tests in Charleston stop short of doing any real damage but push the envelope just enough to give you a clear picture of your vulnerabilities. That way, you are equipped with the knowledge to prevent future attacks.
Contact our office today at (843) 309-3058 to schedule your discovery call and take the first step to a more secure future.
Co-founder + Ethical Hacker
Micheal has over 13 years of combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cybersecurity, he volunteers to help entrepreneurs, veterans, and recent graduates.
Tandem Cyber Solutions