Penetration Testing is a key element in mitigating organisations cyber risks. However, different organisations have different responses to penetration testers coming in to test their networks. In some circumstances, we are greeted as a member of the team whereas in other scenarios we are treated like auditors and provided with the minimum resources necessary.
Our job isn’t to judge, we don’t see network security as a failure of your IT team, rather an opportunity to help enhance our clients' security and continue the fight against malicious individuals who seek to threaten businesses.
We understand that there are many variables which can account for security flaws – insufficient resources, security risks which are oftenaccepted as part of a cost avoidance program and teams not being aware of potential security issues which fall outside their remit of expertise. Either way, network vulnerabilities are not a sign of professional failure, but almost always of insufficient resources to provide an ideal solution.
As with all departments, the IT team must do the best job possible within an allocated budget, whilst communicating the implications of those decisions to management. Sometimes this creates a scenario where the local IT team will be keen for our testers to report on vulnerabilities to highlight the risks they represent.
Conversely, some IT teams will allow the test to take place but do not offer any assistance, feeling that this emulates a real attacker. Unfortunately, our consultants are rarely afforded the time to fully simulate an attackers methodology. Providing the intimate knowledge IT teams have of their systems expedites the process and ensures nothing is missed.
Regardless of how our testers are received, the outcome of the work is a summary of the discovered issues and risks.
One question we are often asked by our clients is that if we can identify risks, why do we not fix them as part of the consultancy?
Unfortunately, although we can identify the risks, understand how the risk occurs and provide advice on remediation, we lack the familiarity with the product to effectively execute the required changes.
When a penetration tester has finished their engagement, it’s the local team who will implement the solutions which improve network security. For this reason, working together with the IT department ensures issues identified by the engagement can be resolved and the business benefits.
1. Brief your team
There’s nothing worse than getting blindsided by an external provider coming to review network security. Communicating the when, why and how will ensure all parties are ready to work together.
2. Listen to your IT team
Your IT team are on the ground and can provide in-depth knowledge about systems and products in use. When providing scope to your penetration testing consultants, working with your IT team to do this will ensure the right areas are being reviewed.
3. Implement recommendations from your penetration tester
The vulnerabilities found during penetration testing offer malicious actors an opportunity to gain access to your network. Therefore, it’s important to take remedial actions as soon as possible.
4. Conduct penetration testing at least annually or after every significant change
Threats are constantly changing because attackers are always looking for new ways to gain access to a network. Much like getting an annual MOT on your car, a regular penetration test will keep your networks healthy.
Penetration Testing is an important element of mitigating your organisation’s cyber risk to ensure your systems and networks remain healthy. SES recommends performing Penetration testing every year and after each major version change or upgrade, to ensure any weaknesses are identified and can be remediated before they can be exploited. SES would also recommend performing regular Vulnerability Assessments in addition to Penetration Testing to regularly examine your systems for known vulnerabilities.
For more information on how our Penetrations Testing services can help your business, please get in touch to speak to one of our specialists.
This article was originally published by our Cyber Partners PGI and can be found here. The article has been updated for the benefit of our clients.
© SES Secure Limited and ses-escrow.co.uk, 2020. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.