For some, running a pen test is merely something to do to pass a compliance check for the year. However, there are many more benefits than just adhering to a precedent set out before you. If done correctly – correctly being the main emphasis here – you should already know of the added benefits pen-tests have towards maintaining a healthy security posture. If you feel like you could improve even just a little bit on this matter, keep reading.
Today we are letting you in on a bit of a secret. Truly, these aren’t secrets but they are actually some of the pitfalls companies find themselves facing if they don’t make the most out of their pen-tests. For the next two weeks we will be uncovering some of the horrible mistakes people have made with pen-testing, how you can avoid them and maybe how to change your own perception of these tests.
Horrible Mistake #1: Not setting goals.
When you hire someone to pen-test your systems, or even plan to do one yourself, there should always be a goal in mind. The intention could be that you need a pen-tester to find all of the ways in which they can reach sensitive data regarding your finances. Or maybe it is that you want to ensure that they can’t find a way to reach that financial data at all. This is a time to be intentional with what you are hoping to uncover – or not be able to uncover.
Whether or not these goals are made known to the pen-tester is up to you, though. Goal-setting will serve you well when it comes to seeing if the changes made post-pen-test were successful. With anything, setting a goal and then sticking to that goal and being able to measure change and growth afterward will give you the validation that you need to confidently say that you’ve reduced the number of vulnerabilities in your network.
Horrible Mistake #2: You aren’t following the data.
Now that you have all of this data from a pen-test, what are you going to do with it? Are you going to patch against the biggest vulnerabilities based on the goals you have for the company? Who’s the decision maker here?
Depending on the role of the one at the head of this pen-test, there may be different motives for the next action. If it’s someone who works in Compliance, they may just check the box that says we’ve completed our yearly pen-test and move on. As for someone in Security Operations, they may be grateful to have a list to act off of – but might want more details on how to prioritize. If you’re stuck not knowing what the next action is, ask yourself, and your team, what you’re trying to protect. Then, go from there.
This will look different for different companies – and that’s okay! Depending on what’s uncovered in your pen-test you’ll have to pick and choose what direction you’ll go to take care of the risks at hand. Having a few fundamental questions to consistently ask yourself will help you to decide where to start.
This is just the tip of the iceberg when it comes to the horrible mistakes found in pen-tests.