How to prepare for a Penetration Test
How to Prepare for a Penetration Test
Our team of experts has compiled a list of useful tips for anyone considering a penetration test on their infrastructure.
Whether you’re on the technical team or are a decision-maker in charge of commissioning services, these four steps will help you prepare.
1. Define the scope of your work accurately
The scope of work for a penetration test refers to the list of infrastructure components that will be tested, including lIP addresses, application URLs, workstations, etc.
A well-defined scope is the first step of a successful penetration test that enables us to audit your information systems effectively.
When preparing for a penetration test, a standard error is providing an extremely broad definition of the scope to be tested.
Several aspects should be taken into consideration when defining the scope, and the right questions should be asked, for example:
- Do I want to audit my external or internal (or other) infrastructure?
- When external infrastructures are in focus, which applications / services are hosted externally and which are hosted in the data centre(s) of the company?
- When considering the questions of, What should I protect? and Which aspects of security are the most important to me?, some common areas of focus are:
Answering these typical questions will greatly help during the scope development process. In addition, these questions will allow the auditor to better target the tests to obtain highly relevant results for you.
Defining the scope of work also helps with selecting the right type of penetration test to conduct, such as, VoIP penetration testing, Wi-Fi or web, external penetration testing, internal penetration tsting or also mobile application testing.
If your budget is restricted, do not hesitate to postpone some tests for the following year, as this will give your teams the time and resources to focus on implementing recommendations from the report of a completed test. An alternative solution is vulnerability scnning, which should be used only if it is a necessity to test a wide scope.
2. Carry out a risk assessment
A risk assessment is the first step of a security evaluation and is the primary means of optimising security. If optimisation means doing the maximum in terms of security, it also means doing it with as few resources as possible. With the aim of attaining a high level of security and minimising costs, a risk assessment is therefore of utmost importance for all environments.
Risk assessment and management enable the identification of security objectives without resorting to technology. These security objectives aim to protect valuable assets (such as data or information stored, processed, shared, transmitted or extracted from an electronic medium) against threats that can lead to loss, inaccessibility, alteration or inappropriate disclosure.
Contrary to what some people might think, conducting a risk assessment procedure for a project that results in an action plan requires a relatively short amount of time. There are obviously variations depending on the extent and scope of the application, but a risk assessment often only takes a few days to carry out. The costs are therefore not excessive.
By focusing on a malicious threat, it is possible to identify the most critical resources that can have an impact, as well as the vectors that can be used to reach those resources. These vectors will then be privileged when defining the scope of work.
When a malicious threat is identified, one or several penetration scenarios can then be utilised to technically evaluate if an attacker is capable of compromising the identified resource.
3. Prepare the ground by correcting what can be corrected
Another typical situation that our teams frequently encounter takes place when we run an automated scan at the beginning or in the middle of the test, and we realise that critical vulnerabilities have been identified via this scan. These vulnerabilities allow control to be taken of the server(s) being tested with the help of a publicly available exploitation tool.
This can be problematic as these potential entry points can be used to carry out the penetration, requiring additional time from the auditor that could have been used in identifying and assessing more subtle aspects that cannot be identified by a scanner.
Therefore, it is good practice to carry out upstream checks in order to quickly correct what can be corrected ("quick wins"). Some examples of means of verification are as follows:
- Vulnerability scanning regarding the future scope of the test
- General verification of update/upgrade levels
- A concise review of all filtering rules in place
4. Define test conditions (timing, actors)
A final aspect to take into consideration to prepare for a penetration test(s) is defining a suitable context.
Firstly, choose the right time to start the tests:
- Preferably slightly before the end of the year. Based on our experience, audit companies are very busy during the months of November and December and it is often advisable to book earlier in the year.
- In the case of a project that is in progress, the perfect time to carry out the tests is between the pre-production (finalised environment and development) and the public launch date, making it possible to carry out reliable tests that would not influence your potential customers.
- In the case of a project that is already in production, very busy periods (for commercial companies) or peak periods should be avoided (except when conducting security audits, as they do not affect availability).
Finally, the selection of actors plays a crucial role for the success of the tests.
Select a team alongside the audited entity that is composed of people who are familiar with the project or the information system. Generally, during the penetration testing; these people will be rarely called upon. However, their experience and availability is paramount in order to manage unforeseen events such as a lack of information, unreachable services and demands for exploiting vulnerabilities.
The choice of pentest provider is obviously important. With an abundance of providers of penetration tests and security audits, you should always look into the certifications of the consultants that will be conducting your tests and audits, and look for evidence of their previous successes in providing this service.
The report is also an important factor in the decision-making process: always ask for an anonymous report or an exemplary standard report in order to get an idea on the level of detail covered by the provider.
In our following articles, we will present some examples of best practices and tips to apply following a penetration test or a security audit, particularly regarding the interpretation of the final report.
In the meantime
Find out more about our services:
Send us your comments
Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!