8 common pen testing mistakes and how to avoid them

Penetration testing is vital, but are you doing it right? Here are some common mistakes and advice on how to avoid them.

CSO > breakthrough / penetration testing / sledgehammer breaking through a binary wall
Okea / Mapichai / Getty Images

One of the most effective ways to uncover flaws and weaknesses in your security posture is to have a third party carry out planned attacks on your system. Penetration testing is all about exposing gaps in your defenses so that they can be plugged before someone with malicious intent can take advantage. There are several different types of pen test designed to target different aspects of your organization.

From network infrastructure to applications to devices to employees, there are many potential avenues of attack for a criminal targeting your business. A good pen testing partner will approach the problem with an open mind and try to emulate a malicious hacker, probing for weaknesses, and trying various techniques and tools to breach your network.

While pen testing is widely accepted as a necessity, it must be planned properly and executed professionally. A lack of expertise or experience can lead to substandard pen testing which fails to reveal vulnerabilities and leaves you exposed.

Here are some common pitfalls and how to avoid them.

Failure to prioritize risks

One of the first things you do when trying to improve your security posture is establish a risk baseline. You identify where the biggest risks lie. This information must inform your pen testing goals. Penetration testing should have a target in mind, whether it’s customer data, intellectual property, or company financial data. Prioritizing risks helps you to focus your security efforts where they can add the most value.

Think of the worst possible scenario for your company and build your pen testing goals around that. It may prove easy to uncover lesser potential problems, and that can distract you from what’s really important.

Using the wrong tools

There are a multitude of penetration testing tools out there, but it takes considerable expertise to know what tools to use where and how to configure them correctly. If you think you can buy off-the-shelf pen testing tools and have internal IT run them, you’re in for a nasty shock. Unless you have an experienced red team in-house, you'll want to engage a third-party with real expertise.

Pen testers can be expensive, and you’ll likely hire them for a short period, so automation tools are worth considering. An automated pen-testing platform can be a good way to validate your defenses and give you some ongoing protection. Choose carefully and ask your third-party pen testing partners for advice.

Poor reporting

Understanding any vulnerabilities that have been discovered and their potential impact on the business can be difficult if your third-party pen testers don’t produce accessible reports. It’s crucial to have easily digestible information that explains what the problem is, what the potential consequences are if it’s not fixed, and exactly how to go about remediating.

Starting off without clear goals has a detrimental effect at the reporting stage because it can be hard to discern the truly critical breach vectors that threaten strategic assets. Good reports will filter out the noise and the false positives and highlight what matters to your business. Avoid third parties or automated tools that simply highlight thousands of vulnerabilities without any direction. You can’t boil the ocean, so make sure you get an actionable, prioritized plan with a defined set of vulnerabilities to remediate.

Ticking boxes

If your pen testers apply a box-ticking mentality to pen testing, then you’re going to miss things. While compliance is important, it’s not the sole reason you conduct penetration testing. Focusing on ticking off items can lull you into a false sense of security. Cybercriminals are not working from a checklist.

Disrupting the business

Plan the pen testing properly and consider the potential impact on vital business systems. Successful hackers often leverage real exploits without disrupting service and so should the pen testers you hire. Make sure it’s clear if tests are taking place in a production environment. Disruption is a greater risk in a black box scenario where the pen tester doesn’t have a picture of your infrastructure.

Using out of date techniques

Any pen testing plan that doesn’t evolve is soon going to become worthless. New techniques, new tools, and new vulnerabilities emerge all the time. You need to stay abreast of the latest happenings and continually update your approach. A good pen testing partner will fold the freshest hacking techniques into their strategy.

Infrequent pen testing

While annual pen testing may be common, it’s not going to provide you with much peace of mind. An infrequent test only gives you a snapshot of your defenses at the time the test is run. You need to be validating your defenses continually and retesting to ensure that exposed vulnerabilities have been properly remediated. This is another reason that automated pen testing platforms can work so well.

Failure to remediate

Make sure that someone has responsibility to act on the reports that your pen testing partner and automated tools produce. You must prioritize the issues found and set about addressing them in a timely fashion. Costly data theft is often the product of known vulnerabilities that companies have failed to deal with. Testing to ensure identified exploits have been properly sewn up should form part of your ongoing pen testing.

Poorly planned and executed pen testing is dangerous. You can’t afford to get complacent if you want to maintain a strong security posture.

Copyright © 2019 IDG Communications, Inc.

What is security's role in digital transformation?