There are many reasons that a company has a penetration test performed. Maybe it is due to regulatory compliance, like HIPAA, or they are just take security seriously. No matter what the reason is, you want to get the most from a penetration test. Any of you that have had a good penetration test done know that it is usually not cheap. If you are going to make the investment, make sure you get as much from the engagement as possible.
So what should you expect from a penetration test? Many people view a penetration test as an assessment that has a simple, direct goal in mind: How far into my network can you go? While this is absolutely a necessary part of the assessment, it is only a minor part. The point of determining how far an attacker can go is to help the target company (client) start to better understand the risk of the vulnerabilities they have.
Do you just want to know how far someone can get? What about the details of how they did it? What about information about what you can do to fix or decrease the risk of it? Did you think about analyzing how your defensive procedures work during the assessment?
Secure Ideas does a lot of security consulting and penetration testing for clients. The part of the job I enjoy the most is talking with the client about what is going on, how their systems are set up and giving them good information to help build up their security program. Sure, it is great to get Domain Admin on a network, or pull millions of credit card numbers, but that isn’t the best part. Maybe it is the most exhilarating, I won’t deny that.
Communication during the engagement is the key to success. When done properly, the client will understand the weaknesses they have and have some ideas of what they can, or should, be doing to create a better security posture. Don’t expect to just get a report with details of how cool of an attack was just pulled off. Expect that you will get useful information to help defend your information. Expect that you will have a better understanding of the security controls that are implemented and how they can be adjusted to provide better protection or monitoring. Expect that you will have learned something from the experience that makes you more aware of the security risks and how you can mitigate them.
Different tests have different goals and not everything fits into the same mold. Understand your needs before you start an assessment and make sure that you are getting what you expect.
James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org, @jardinesoftware or visit the Secure Ideas – Professionally Evil site for services provided.