Why You Shouldn’t Deal With Low Hanging Fruit Before a Penetration Test

What is low-hanging fruit?

Low-hanging fruit is a common term used to describe items that are easy to obtain. If you think of it literally, the most straightforward fruit to get from a tree is the fruit that is closest to the ground. Low-hanging fruit can be gathered without much effort compared to other fruits on the tree.

In the context of cybersecurity, many companies try to deal with security vulnerabilities that are low-hanging fruit before conducting their penetration test. There are several reasons a company may do this. Firstly, the security department may want to do this so that the penetration testers will report fewer vulnerabilities, making it look like they did a better job than if several vulnerabilities were discovered. Secondly, companies may not want to pay for extra work on behalf of the penetration testers. Therefore, they may try to fix vulnerabilities in advance so that the penetration testers will find fewer issues, and consequently, the penetration test will be less expensive. Thirdly, companies may want to ensure that penetration testers are focusing on finding vulnerabilities that the company isn't aware of. By getting rid of the low-hanging fruit, the company hopes the penetration testers will have to dive deeper and find hidden vulnerabilities that the company wasn't already aware of. While many of these may seem like good reasons, we recommend that clients don't waste their time eliminating low-hanging fruit before a penetration test.

Once you decide that you will have a penetration test done, there are much better things that you can invest your time doing than trying to rush the resolution of security vulnerabilities before the test. In this article, we will highlight some of the main reasons why you shouldn't try to resolve low-hanging fruit before a penetration test.

Why you should NOT try to deal with low-hanging fruit before a Penetration Test

1- It's less time-effective

One of the main reasons you pay for a professional penetration test is so that you can rely on their subject matter expertise on how to resolve security vulnerabilities. Suppose a vulnerability has been lingering in your organization. In that case, it's more time-effective to allow the penetration testers you will be paying to give you a remediation plan and plan out all of the remediations at once. There's no need to rush remediation for low-hanging fruit and then go back once the test is complete and implement resolutions for the other issues they find. You're better off waiting until the test is done and implementing all solutions simultaneously. Spend time before the penetration test working on other issues in your environment because regardless of whether you try to resolve the low-hanging fruit or not you will have a lot of solutions to implement following the test. Implementing all of these fixes at once is more time-effective.

2- Security is about risk not the number of bugs, focus on what matters

Another reason you don't want to prioritize low-hanging fruit before a penetration test is because security is about risk management, not the number of bugs. Rather than dealing with the easiest issues, focusing on the problems with the highest priority/the most significant risk is essential. Before a penetration test, it's better to spend time identifying what IT assets are the most important to your business so that security researchers know what assets need to be protected the most and can focus their efforts on those areas. Low-priority items that are easy to fix can be resolved at any time. Rather than focusing on these low-impact items, find ways to focus on the more significant issues affecting your environment.

3- You don't try to get fit before going to a personal trainer

This is probably the best analogy for understanding why we recommend clients don't try to resolve their security vulnerabilities before a penetration test. Someone hires a personal trainer to get guidance and expertise on the best way to become fit. While you can work out independently, you will be more efficient and effective by working with a competent personal trainer and following their plan. The same thought process is valid here. You are hiring a penetration tester to leverage their expertise in finding security weaknesses and providing recommendations on how to fix them. Remember, a good penetration tester doesn't just find and report vulnerabilities. They are also masters of finding ways for their clients to resolve vulnerabilities and achieve a secure state. You will be much more efficient in resolving security vulnerabilities if you wait for expert guidance.

4- How do you know which low-hanging fruit is worth fixing?

Another reason you don't want to start resolving issues before the penetration test is you won't know where to start. There can be hundreds, if not thousands, of vulnerabilities in any given environment at any given time. Without proper guidance, knowing which low-hanging fruits are worth fixing and what issues should be prioritized over others can be challenging. Sometimes it's simply infeasible to address all the problems in your environment, and in some cases, the issues may be false positives that don't need to be addressed. By waiting until the penetration test is conducted, you can be sure that you are only spending time on issues that need to be addressed, making the most efficient use of your time.

Things you should prepare before a Penetration Test

• Understand your critical IT assets: Before the test, you need to know your most important IT assets. You need to ensure that these items are adequately protected, and it's impossible if you don't know what they are.
• Gather Past Penetration Tests: Past penetration tests and vulnerability assessments can help penetration testers understand the common gaps in your environment. This is good for helping to ensure your organization isn't repeating mistakes of the past and should be made available to testers before the test.
• Know your compliance requirements: Penetration testing is required for specific compliance requirements, and for others, they can help you understand if you have the required security controls in place. You should identify these requirements beforehand to ensure that your organization is on the right track.
• Schedule the test outside of business hours: You want to ensure that your testing won't negatively impact your business operations. Before the test, you should consult with your staff and find the best possible time to perform the penetration test to minimize the chance of business interruptions.
• Inform IT staff: You don't want your IT staff to see the testers' activity and confuse it with legitimate hacker activity. This can result in them blocking the testers' systems and interfering with the penetration test. It would help to inform your IT staff about these tests beforehand to ensure they don't interfere with the tester's activities.
• Know your threat actors: Lastly, you want to understand the threat actors targeting companies similar to yours and the type of attacks they are using. You should check the penetration testers will be using similar tactics as your real-world threat actors to ensure you are well protected against the types of attacks you are likely to see in a real-world scenario.

Conclusion

Within cybersecurity, Low-hanging fruit are vulnerabilities that are easy to detect and resolve. Many companies think that they should resolve low-hanging fruit before conducting a penetration test to look better as an organization or to make the penetration test more effective. However, for several reasons, we don't recommend this approach. You are going to be far more efficient with your time and effective with your manpower if you wait until after the penetration test to perform your remediations. Remember the saying "You don't try to get fit before going to a personal trainer". Once you commit to hiring a professional, it's best to leverage that person's expertise to ensure that the work you are doing will be effective and the fastest way to get you to your goal. By relying on your insight, you run the risk of wasting time and money that could have been better spent on a more effective strategy.