Penetration testing is an undeniably effective way to improve an organization’s security, allowing cybersecurity professionals to safely validate the exploitability of security weaknesses, before a malicious attacker does. Though threat actors are more persistent than ever, the good news is that more and more organizations have recognized this and want to begin their own penetration testing program in-house. With the advent of increasingly more sophisticated penetration tools, organizations can build and grow their own successful penetration testing program.
What are the Most Important Penetration Testing Capabilities?
Unfortunately, experienced pen testers are getting increasingly harder to find. There is a massive cybersecurity skills gap, and it’s only getting bigger. According to the Center for Cyber Safety and Education, there may be at least 1.8 million unfilled cybersecurity positions by 2022. In fact, ISACA’s 2019 State of Cybersecurity Report, states that 58% of organizations have unfilled cybersecurity positions, so a job posting for a senior tester to launch your penetration testing program may remain empty for months.
When it comes to pen testing, an effective way to work around and even help close the skills gap is by finding tools that can help your testers be more effective and efficient. Penetration testing is typically completed using a portfolio of tools that provide a variety of functionalities. Some are open source, while others are commercial. Some of these tools are the same as those used by threat actors, allowing for the exact replication of an attack. Others highlight the needs of an ethical hacker, allowing for a stronger emphasis on features that prioritize the end goal of validating security weaknesses without affecting production environments, and prioritizing remediation.
A robust commercial pen testing tool, like Core Impact, can guide the tester on techniques and methods, create audit logs, and provide reports that will aid in remediation efforts. Even if a cybersecurity or IT professional doesn’t have much experience with ethical hacking, they can still hit the ground running if they’re aided by effective tools that would allow an IT professional to learn and explore. When creating an in-house pen testing program, the following features should be prioritized:
As a new pen tester becomes familiar with testing procedures, it is critical that they learn to run tests safely. This means having a tool that provides guidance on not only what types of exploits and techniques to test with, but more importantly, on what not to test with in a production environment. Core Impact, for instance, has intuitive wizards which provide parameters and can ensure that new users don’t use techniques that could cause an issue in a production environment, while also providing guidance on available options that could be effective in their testing. Additionally, Core Impact agents are carefully tracked, and can be set to automatically expire, ensuring that doors into your IT environment aren’t inadvertently left open when a test is over.
Thorough training will not only get a new user familiar with the tool at hand, it will also set up someone for success in pen testing in general. The Core Impact Certified Professional (CICP) is included for all users and offers expert advice on multiple aspects of pen testing.
A good pen testing solution can serve as a centralized toolset, where different testers can gather information, exploit systems, and generate reports, all in one place. Core Impact allows collaboration, running tests as a team, sharing a virtual testing workspace to take advantage of and learn from one another’s strengths.
Since pen testers often use multiple tools, having integrations can also minimize confusion. For example, Core Impact can import data from multiple vulnerability scanners, and allows you to incorporate the functionality of Metasploit, Burp Suite, and others, which can run further improve the effectiveness and productivity of your teams.
These types of tools don’t just provide the ability to pen test, they provide the ability to pen test more efficiently. With a more intuitive experience, new pen testers can deploy tests with guidance that can help ensure success, automatically create audit logs, and build reports quickly .
5. Audit trails and reporting
Continuous logging and reporting may not matter to hackers, but it is a vital part of pen testing, as it provides an audit trail that details exactly what they did, and in some cases, prove what they didn’t do! Instead of relying on keeping your own detailed notes during the test and scraping screen shots, Core Impact automates this task. Reporting features also ensure that the results of these tests are readable by any invested party, tailoring reports for audiences depending on their level of interest and expertise. Reporting features may also be able to provide a list of areas to focus on for remediation by adding severity ratings to each weakness exposed.
As discussed in part one of this series, having in-house penetration testing capabilities can enhance an organization’s security stance by more rapidly finding and/or validating security weaknesses. The right tools can be the real foundation of your pen testing program by providing the guidance and support of the cybersecurity experts who built and developed them.