Guidance for Penetration Testing Buyers
There are many pitfalls and mistakes that organisations using, or considering using, penetration testing services can easily avoid. In the following blog article, we discuss ‘what not to do’ to ensure you receive the best penetration testing outcomes.
There are many common penetration testing pitfalls and mistakes that you can easily avoid by:
1. Choose the right provider
Many pitfalls can be avoided by taking the time to research and select a solid provider.
Pitfalls relating to providers include:
- Purchasing a penetration test that is a glorified vulnerability scan (you can run these yourself – for free!) and a report that is automated, contains many false positives and negatives and generic guidance.
- Paying for a methodology that charges for testing areas that do not require testing. To ensure that you understand and receive a correctly scoped service, refer to our blog article How do you determine the scope of a penetration test? >>
- The penetration tester does not have adequate security clearance – resulting in time lost while clearance is obtained.
- Engaging a large provider who has a pricing model aimed at the needs of enterprise clients, resulting in potentially high costs.
- Engaging your existing provider who is not a specialist in penetration testing, resulting in potentially higher costs and a poor quality service than could have be achieved by engaging a provider that specialises in penetration testing.
- Engaging a ‘quick and low cost’ service to achieve basic compliance. You get what you pay for – your organisation may just meet compliance standards but have received a service that is insufficient for its level of risk.
For the 9 characteristics of proficient penetration testing providers and the research you should do before engaging a provider, read our blog article How do you select a penetration testing provider? >>
2. Have an information security mindset
Having an information security mindset is important, not only for the IT security team and management team, but also every employee.
The following pitfalls reflect how not having an information security mindset can be dangerous for your organisation.
- “Cybercriminals only target large, well known organisations, SMEs are off their radar.”
This reveals a lack of understanding of the threats posed by automated cyberattack and to the suppliers of a Business Email Compromise attack target. If you need to convince your management team about the benefits of penetration testing, have them read our blog article on the ROI of Penetration Testing.
- “There is no need for a pen test – the IT department can find any holes in our security.”
Your penetration tester should be an external, neutral party. The person finding the issues should not be the person responsible for fixing them as there will be blind spots and assumptions that will skew the results. Penetration testing can help validate your IT department’s efforts.
- “Security was taken care of when the provider installed the system.”
A set-and-forget approach cannot apply to cybersecurity and information security management. Cybersecurity threats are continually evolving and have multiple points of attack and if your organisation does not keep pace with the level of threat, it is at increased risk.
- “The security team don’t collaborate with the development team (and vice versa) and neither will partner with the pen testing team.”
To effectively remediate security issues and prevent future issues, there needs to be collaboration between IT teams throughout any development and penetration testing process. Egos aside, a collaborative approach is essential to achieve ongoing security.
- “This cybersecurity training/policy doesn’t apply to me.”
Providing cybersecurity training for your employees is only effective if they complete it and demonstrate the learning outcomes. This especially applies to system administrators and other privileged account holders.
- “It’s my cloud provider’s responsibility.”
In the case of a breach, regardless of whether it is a cloud provider’s ‘fault’, it is ultimately your organisation’s responsibility to undertake due diligence to ensure the protection of critical data and customer information. You can request permission to conduct a penetration test on a cloud-based application. If your provider refuses, you can request a letter of attestation stating that they conduct regular penetration testing and have met the security requirements. If they will not provide a letter of attestation, find a provider that will. For more information about roles and responsibilities and the critical activities and controls you need to put in place to reduce risk and utilise cloud computing with confidence, watch our webinar Securing your Cloud Data: Practical Advice to Mitigate Risk >>
3. Avoid becoming complacent
It’s important not to become complacent. Achieving best-practice cybersecurity and information security management is an ongoing and evolving process.
- “My organisation has done a penetration test, therefore it’s secure.”
The purpose of a penetration test is to help identify vulnerabilities and suggest remediation. It’s up to you to implement the remediation and commit to maintaining security – such as adding ongoing cybersecurity and information security activities to your organisation’s security management program. And unless the scope was for an end-to-end penetration test, covering the entire attack surface, the test may have focused on targeted areas only.
- “My organisation is compliant, therefore it’s secure.”
If your organisation takes a proactive approach to cybersecurity and information security threats and employs measures to meet your organisation’s level of risk, it’s likely that it is well protected – and compliant. If, however, your approach is to just meet the basic requirements to achieve compliance, your organisation may be compliant yet at a high risk of compromise.
- “My organisation has so much testing that the network is bulletproof.”
Investing in protecting your IT technology assets is meaningless if you do not also recognise the potential risk from social engineering and phishing. Education must include not only the security team (system admins, database admins, developers) but all employees. Regular penetration testing that includes social engineering will help to identify and benchmark risk, and an ongoing phishing training program can provide your organisation with an ongoing, cost-effective solution.
We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >> In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.
Questions & More Information
Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.