When you hire a penetration testing company, you are essentially inviting professional hackers to examine your systems to look for any sensitive data. Any competent penetration tester will avoid any unnecessary risk during an engagement. Penetration testing companies handle a variety of sensitive data during the course of a regular engagement. This may include materials like:
- Credentials for test accounts including lists of users
- Detailed inventories of internal and external network ranges
- Infrastructure and architecture documentation, including:
- IP addresses or DNS names
- Firewall configurations
- Endpoint protection configurations
- Software and system versions and patch levels
- Payment card and company financial information
- Employee data, including employee remuneration details, disciplinary reports, tax information
- Personally identifiable information (PII) such as email, phone, name, address, SSN, orientation, etc
- Protected Health Information (PHI) health records
- Source code or other trade secrets
- Other high-value data specific to the business
Accordingly, there is an implicit trust that the testers will not abuse this access through malice or negligence. There are three core principles that are fundamental to protecting test data: discretion, confidential transmission and storage, and a strict retention policy.
The testers make decisions about what data to access, and how to access it. Just because we are able to exploit a flaw to access data, doesn’t mean it’s appropriate to download the information to a testing machine or local laptop. Taking a screenshot of a list of filenames, or one or two records; often fulfills the evidence requirement for a test. Screenshots can also easily be redacted before being saved to disk. The tester’s judgement about what actually needs to be accessed to perform our duties is the first line of defense protecting the data. This discretion also extends to activities performed during the test. A tester should never knowingly weaken the general security of the systems being tested.
Transmission and Storage Methods
When a tester makes the decision to retrieve and store data, they apply appropriate judgement about how to achieve that in a way that doesn’t expose the customer to disproportionate risk. This means that appropriate encryption will be used to keep the data from being easily read during exfiltration. Authentication should be used on all data exfiltration. For example, a tester may pull database backups down to the local laptop to analyze them. In this case, we would use a Virtual Private Network (VPN) protected by multi-factor authentication, and use an encrypted secure shell (SSH) connection to download the data through the VPN tunnel.
The instant the data is written to disk, strong encryption should be used to protect it at rest. We ensure that at minimum the data is encrypted using AES-256.
Retention and Destruction Policy
An equally important part of the overall security strategy is ensuring that data is destroyed when it is no longer needed. The specific period of time will vary depending on the type of data. We typically retain the final report long-term, while test artifacts such as scan results and other client data are destroyed shortly after the report is finalized. Data stored on the tester’s machine is moved to an encrypted archive, which has an automatic cleanup policy to enforce our retention policy. Upon request, we also shorten the amount of time evidence is retained to meet a client’s operational or regulatory requirements.
A security consultancy’s goal throughout the entire penetration test is to improve the client’s security posture. This means ensuring that all testing data is responsibly handled.
We do this everyday by exercising discretion with the data uncovered (as well as the names of our clients), responsible transmission and storage, and a strict retention and destruction policy.
Most consultancies will also implement more aggressive retention policies upon request. For example, if tasked with a project that is highly secretive in nature, a client may specify that all testing artifacts should be destroyed immediately upon acceptance of the final report.