This is part 4 of 5 in the Managing Your Penetration Test Report Series
Most companies may have a general idea of their company’s security posture but it can be a shock to find out just how many deficiencies there truly are. However, it’s important to understand what a “bad” penetration test is. The whole purpose of a penetration test is to identify vulnerabilities that exist in your company that you weren’t aware of or didn’t fully understand. Therefore, it’s not a bad thing for a penetration test to come back with a large number of findings. What makes a penetration test truly bad is the following:
1) Having many false positives: Having multiple false positives related to identifying a vulnerability is a big negative. This can lead to a lot of wasted time as the client tries to validate or fix a vulnerability that doesn’t actually exist.
2) No remediation plan: Another bad outcome is to have a penetration test that finds vulnerabilities but doesn’t offer any suggestions on how you can fix the vulnerabilities and address the underlying cause. Finding the vulnerabilities is important but the overall goal is not just awareness, it’s about how to fix the vulnerabilities and eliminate the root cause to prevent issues from reoccuring later on. If a penetration test doesn’t give you that information then it should be considered a poor job.
However, what most people will regard as a devastating penetration test is one that simply discovers a ton of vulnerabilities. Despite the fact that it may not feel good to see a report showing a large amount of vulnerabilities, that is actually the sign of a strong penetration test because it shows you several ways that your company can improve. If you want to learn more about what factors make up a good or bad penetration test, read our blog.
The first thing you should do when receiving a penetration test is to investigate the issue and determine the root cause of the issue. Vulnerabilities that are misconfigurations can often be changed very easily while those that are more systemic need more time and attention. By making this distinction you make the next step much easier, prioritization.
When you receive your penetration report each vulnerability will be assigned a severity by the pentesters (critical, high, medium, low etc). However, it falls on the client to look at the affected resources and prioritizing the remediation of resources that are more important to the business. For example if you have two critical vulnerabilities, but one if your health-care critical triage app and the other is the events marketing page, then these two apps should have different levels of priority. Typically fixing resources is done in order of severity and then asset worth. So we generally recommend fixing all the criticals first, but doing so in the order of asset priority. Then work on highs, mediums, lows etc.
Once you have a plan on the order in which vulnerability should be remediated it’s time for you to start assigning resources to get the work done. It’s important to have someone uniquely responsible for the remediation of certain vulnerabilities so that they can be held accountable and ensure that it is completed on schedule. This doesn’t just mean informing the security team but you also need to factor in all the teams/people responsible for remediation, for example patch management, site reliability engineers and senior management. This is also a good time to re-evaluate your security posture. This can include developer training, or more frequent penetration tests to match your code releases in order to stay on top of vulnerabilities.
Once you have your resources organized the last thing to do is to implement the required changes. The best approach to this is typically to perform the change in a dev and uat environment before implementing it on a production environment. This is important so that you can ensure that the change works and doesn’t have any negative impact on the non-production systems before pushing it into production. This significantly reduces the risk of unexpected downtime and other potential issues.
Once you have implemented the changes, it’s important that you do a re-test. At the very least you want to do a test that checks for the old issues and ensure that they have been properly resolved. Not only does this verify that the fixes worked but it ensures that there are no easy bypasses that hackers can use to circumvent the fixes that you invested time and money into implementing. It’s important to schedule the retest well ahead of any internal or external deadlines. There is a good chance that there may be issues with the fixes that were implemented and it’s important that you give yourself enough time to fix the new issues after the retesting.
A devastating penetration test can be a good thing for your organization. It means that you have been made aware of the weaknesses in your business and it means that you now have a good roadmap for improving over time. A successful penetration test gives you a big picture view of your organization and it’s better that you are made aware of this before the attackers/hackers find them.
Here’s what to do when you receive your penetration testing report:
Engage the required stakeholders: You need to engage all of the important stakeholders in the organization whose support you will need to implement these changes. This includes patch management, developers, site reliability engineers, upper management etc.x
Establish a schedule: You should create a formal schedule that outlines exactly when the work will be done and by whom. This helps to ensure continuous progress and accountability for all aspects of the project and significantly improves the chances of success.
Retest: You should always do a retest with a professional pentester to ensure that the changes that you have made do indeed fix the vulnerabilities and that there are no workarounds for hackers to exploit. The retest is your only true confirmation that the vulnerability has been fixed and that you are in a more secure state than when you started.
If you’ve ever had a penetration test done and found out that your company has tens, hundreds or even thousands of vulnerabilities it can be a difficult pill to swallow. However, it’s also a great opportunity for your organization to evolve and grow into a more secure business. In order to make the most of a devastating penetration test report it’s important that you approach it in the right way. First, you need to understand that the whole purpose of a penetration test is to identify vulnerabilities in your organization and it’s better that you find out now than when someone hacks into your business. Then you need to leverage the information that you found in order to remediate these issues and ensure that your organization is in a stronger position than before. If you do this properly even a “bad” penetration test report can become a positive.