In order to complete a successful penetration test, a great deal of time is often spent in the planning stage. Time should also be invested into the post-test process. Going through the results of pen tests provides a great opportunity to discuss plans going forward and revisit your security posture overall. Seeing pen tests as a hoop to jump through and simply checking it off a list as “done” won’t improve your security stance. It’s important to plan time for a post-mortem to disseminate, discuss, and fully understand the findings. With review and evaluation, pen test results can transform into action items for immediate remediation and takeaways that will help shape larger security policies.
1. Review and Discuss the Pen Test Results
Pen testers often provide thorough reports with invaluable information that may take some time to get through. Typical reports consist of several elements. An executive summary will list a rundown of the steps that were done during the test. From there, different tests offer varying information, but generally, there are details about the findings the pen testers gathered during the process. For example, a network pen test could outline what was found during the information gathering stage, as well as what networks hosts were found and exploited. Results also usually include a master list of issues that need to be addressed, and at least a basic list of recommendations. Testers are often willing to answer questions, even after the test has been completed, and provide further insights and recommendations.
Whether you gather details from a final report, or through further discussion, pen tests can be crucial for identifying and quantifying security risk. For example, a pen test might reveal successful infiltration through a social engineering attack. While this indicates that certain employees are susceptible to phishing attacks, it may also reveal an authorization vulnerability as well. If an attacker can get access to sensitive data using anyone’s credentials, then identity governance may be the real heart of the issue.
Since pen test reports show how testers exploited your infrastructure, organizations can consider not only the initial findings, they can also do further analysis to get to the root cause. Finding out the what the real risks are is a key part of remediation.
2. Develop a Remediation Plan and Validate Implementation with a Retest
A single pen test serves as a baseline. An integral part of pen testing strategies is to retest frequently against that baseline to ensure improvements are made and security holes are closed. Pen test results often come with a hefty to do list, which means it’s unlikely that every single weakness can be fully addressed right away. While every security weakness is a concern, some will be more dangerous than others. A pen test post-mortem should carefully consider how to prioritize what needs to be addressed.
Many pen test findings may include a rating on how severe a finding is. Severity can be determined not just by how easy it is to exploit, but also by the potential impact or fallout there would be if it was exploited, as well as the likelihood of it being exploited. After tackling the highest priority findings, there are a few other factors to consider when prioritizing beyond impact and the likelihood of being leveraged in an attack. This includes the time and resources needed to remediate, staff capabilities, and cost constraints. Regular pen tests can provide updated information on your approach, which can also help determine urgency. If a weakness that didn’t seem as threatening the first time emerges as a bigger problem upon reevaluation, priorities can be shifted accordingly.
Before scheduling the next pen test, it is helpful to review exactly what pen tests were run previously. The scope of each pen test varies, with some following fairly narrow guidelines, and others looking more broadly. By taking into account whether additional or different tests should be completed, you can ensure you’re getting the most valuable insights possible.
3. Incorporate Findings into Your Long-Term Security Strategy
As mentioned above, pen tests often reveal the root causes of security weaknesses. Fixes for these larger issues may impact your general security strategy. For example, an excess of weak passwords may require an overhaul in the password policy, as well as reeducation efforts for employees. Results may reveal a need to perform third party security audits to ensure that your vendors aren’t introducing unnecessary risks. You may even want to discuss your security tool portfolio to see if it needs to be expanded or if some solutions should be reconsidered.
Finally, continue to put your organization to the test on a regular basis. Pen testing should be conducted frequently to ensure you’re continuously reducing your cyber risk exposure. The goal of pen testing shouldn’t be to earn a passing grade, as there are no trophies for “fewest weaknesses.” Ultimately, these tests are done for the benefit of an organization, and the best reward is knowing your environment is becoming more and more secure.