Congratulations! You’ve just completed a penetration test. So what now?
A pen test shouldn’t represent the pinnacle of your security efforts. Rather, the test validates what your organization is doing right and highlights areas for improvement.
Even if the test showed that it was possible to gain administrative access and move laterally through your network, this doesn’t mean you have “failed.” Rather, the purpose of a pen test is to find vulnerabilities so your organization can fix them before they are exploited and to advance the security of the network.
Take these four steps to maximize the effectiveness of pen testing:
Review and discuss the results
Develop a remediation plan
Focus on continuous improvement
Review and Discuss the Results
The retrospective process after a pen test varies depending on several factors: the company's needs, who completed the pen test, and the quality of the report.
A report should include these elements:
Summary of successful scenarios: An executive summary will list the steps that were performed, which ones were successful from an attacker point of view, and which ones failed.
List of information gathered: A comprehensive report will include any information that could be a security weakness, including hosts, applications, identities, email addresses, credentials, and misconfigurations.
List and description of vulnerabilities: Also look for a prioritized list of the found vulnerabilities with the common vulnerabilities and exposures (CVE) score and exploit potential. Ranking vulnerabilities by potential severity will help with the development of a remediation roadmap. By pairing with a vulnerability management solution, you can refine prioritization even further with additional analysis and relevant risk context.
Detailed description of procedures: A description and audit trail of all performed activities and their results will allow your security staff to retest for specific vulnerabilities after a patch has been applied or remediation performed.
Additionally, it’s critical that the C-suite knows what IT is doing to protect network infrastructure. An executive report outlining the high-level findings and remediation steps provides useful education and can help make the business case for necessary resources to move forward.
Develop a Remediation Plan
Although it may seem counterintuitive, resist the urge to start making changes immediately. Developing a remediation plan is an essential first step, as it allows you time to prioritize planned fixes and research any mitigation strategies you may not fully understand. Many pen test reports include a rating on how severe the finding is based on potential impact and likelihood of exploitation, which will help you establish priorities.
Every finding should have a plan with a priority and, if possible, be assigned to someone to remediate — with a due date. Those plans should be loaded into your security ticketing system so that you can track progress and completion of each task.
You want to avoid having the same critical vulnerabilities on multiple tests. If you aren’t keeping up with pen test findings and remediating them as soon as practical, you’re compromising your company’s cybersecurity posture.
Validate the Implementation
Once the findings from the pen test have been remediated, it’s time to validate that the changes actually solved the issue. You can rerun the scenario that uncovered the vulnerability to ensure the fix is sufficient. Additionally, performing regular penetration tests can provide updated information on your security posture, particularly after changes have been made to your infrastructure. If you are using a vulnerability management solution that provides risk-based scoring, you can rerun your scans to assess whether your scores have improved.
Before running subsequent pen tests, however, it’s helpful to review the scope and findings of previous pen tests. The scope of each pen test can vary widely, with some looking more broadly at the IT infrastructure and others focusing on particular problem areas. By taking into account whether additional or different tests should be completed, you can ensure that you’re getting the most valuable insights possible.
Focus on Continuous Improvement
Cybersecurity is a journey — not a destination. Your next pen test will likely uncover new vulnerabilities that require different types of remediation. If your pen testers return no findings, you should question the competence the efficacy of the test.
You also must recognize that some vulnerabilities will require larger-scale changes. If a vulnerability requires multi-factor authentication (MFA), for example, that’s a large project that will require capital spend and time to implement. Likewise, if your company is prone to phishing attacks, it will take time to implement a phishing solution to reduce your business risk.
While a passing grade on a pen test may help prove compliance to external auditors, pen tests provide even more value as agnostic assessments of your organization’s security posture.
A security team’s work is never done, so the focus should be on continuous improvement as you prepare for the next penetration test.