Horrible Mistakes You're Making With Pen-Testing Pt. 2

We’ve let you in on some of the not-so-secret mistakes people make with pen-tests last week in "Horrible Mistakes You're Making With Pen-Testing Pt. 1" and we’re continuing with that theme today. There are more potential mistakes and we want to make sure you’re aware of them in order make your pen-tests successful. Read on and stay tuned to see just how many there actually are!

Horrible Mistake #3: Failing to Plan is Planning to Fail

If you know you have to run a pen-test, you must plan for it. This isn’t something that you can decide split second and execute on. First, ensure that you have someone well equipped and able to pen-test your organization. This could be either an internal team member or through an external company or resource depending on your organization’s staffing and capabilities. Then, think about who needs to know about the pen-test of your organization—as well as who doesn’t. Being able to establish a plan of attack to conquer your vulnerabilities is important for long term success.

Your pen-test should be as organic as possible. Employees should operate in their normal cadence – with or without feeling like big brother is watching. Without them acting “normal” a pen-tester won’t be able to get an honest test of your environment.

There are two questions to ask yourself to help you set up your plan all while allowing for the test to remain as organic as possible:

1. Are there specific systems or areas of your network that need to be focused on related to your goals?
2. Can you access these systems or do you need special approval to test during certain windows?

Before beginning your pen-test, be sure to think through the steps of your pen-test so that your company can operate as normal, while still executing a successfully on your plan of action.

Horrible Mistake #4: Wanting a Vulnerability Assessment Instead of a Pen-Test

Wanting a vulnerability assessment is not the mistake, it’s an important part of your security stack. However, thinking that you are going to get the results of a vulnerability assessment from a pen-test is the mistake. Setting yourself up with the right expectations for your security operations and goals is crucial to avoiding wasting time and resources.

Vulnerability scans can help identify what vulnerabilities exist in your environment and where they reside – but that doesn’t push through to deeper layers. Vulnerability scans will help you segment and prioritize the data they have gathered. Pen-tests will validate whether these vulnerabilities and conditions to exploit them exist. They allow you to determine attack paths a bad actor may take to reach the sensitive data in your environment and how best to prioritize remediation to prevent them from reaching this data. Depending on what sort of insights you are looking for, pen tests will help you decide which remediation to start with, whereas vulnerability scans will help you decide which type of pen test to start with.

The two paired together provides you an in-depth look at your organization’s security posture and helps you prioritize and tackle the most important vulnerabilities in your organization first. If you still need help distinguishing the two, read "When to Use a Pen-Test and When to Use a Vulnerability Scan."