Three Challenges of Pen Testing

There is no arguing that a penetration test can be an invaluable exercise to evaluate the security of an IT infrastructure. Despite the necessity for these critical evaluations, many security teams struggle to maximize the effectiveness of pen tests in their organization. What are the top challenges that organizations are looking at today when facing an upcoming pen test? Read on to find out.

1. The Importance of Scope and Clear Rules of Engagement

While conducting a pen test is an involved process, some of the most critical work comes before testing ever begins. The scoping stage can determine the success of the entire process. With so many different things to test, as well as a variety of ways to test them, it’s difficult to limit yourself. So many options, as well as differing perspectives on what are the highest priorities, can result in scope creep. It’s easy to end up with a wide scope that tries to cover a little bit of everything. But a scope that is too broad may not end up producing as much valuable information, since pen testers typically won’t be able to do an in depth evaluation. 

When developing your scope, it’s helpful to consider not just your devices, applications, and networks, but overarching goals and priorities that you want from your pen test. You can also talk with the pen testers to help establish reasonable, firm parameters that will still provide valuable insights.

Rules should also be set around the more specific details of executing a pen test. You’ll want to be clear on not just what you want, but what you don’t want. Do you want an internal or external test? Is it permissible to handle sensitive data? Do you want to inform employees the test is going on? You don’t want to set off alarms unless that’s the goal of the test—which should be established well ahead of the test taking place. On what date and at what time will this occur? Establishing clear rules of engagement ensures that testing goes smoothly, without network disruptions or misunderstandings.

2. Working Around Resource Constraints

Though limited resources are a problem in many areas, cybersecurity faces an especially severe shortage in skilled workers. One of the top challenges in cybersecurity today, let alone pen testing, is finding people with the necessary skill sets to face these ever-growing threats. In fact, according to the Center for Strategic and International Studies (CSIO), the number of unfilled cybersecurity jobs has grown by more than 50 percent since 2015. Since the cybersecurity skills shortage clearly can’t be solved overnight, what can be done?

One approach is to focus on making the limited amount of skilled pen testers as productive as possible. This means ensuring that they are not wasting their time on mundane, repetitive tasks. Utilizing pen testing tools, like Core Impact, can automate these tasks, like collecting information about networks or hosts. Additionally, one of the most time-consuming aspects of pen testing is creating a final report. Testers often have to gather all of the data and manually compile the results. Using a tool like Core Impact keeps track of a pen testers activities and can auto generate reports, dramatically increasing efficiency.

Another approach, which can work well in tandem with the first, is to emphasize on the job training for new or junior pen testers. Even though they haven’t built up a robust skill set, they can still hit the ground running in several ways. Oftentimes, less experienced pen testers assist with more of the monotonous work to help free up the time of advanced pen testers. However, they can also help with more advanced tasks that improve their training. Pen testing tools, as mentioned earlier, can help speed up or automate some of the more tedious tasks. More complex work can be simplified through the use of GUI interfaces and wizards, so knowledge of command line isn’t necessary. Core Impact, for example,  has wizards for all their Rapid Penetration Tests (RPTs) for network and web applications. By streamlining the tasks of both advanced and junior testers, along with the assistance of tools, pen testing teams can not only get through a resource drought, they can even learn how to do more with less.

Not only this, the cybersecurity specialists that do exist are in a constant race against time. The longer malware lingers in your environment, the more damage it will do. The longer a security weakness is left unremedied, the more likely an attacker will exploit it.

3. Intelligent Advancements Without Shared Knowledge

The world of pen testing can be an interesting balance of open collaboration and closely guarded privacy. While different groups may engage in teaming exercises, or happily talk technique when they attend Black Hat, most pen testers are extremely reluctant when it comes to publishing information online, particularly details of how they’ve been successful in getting around defenses.

One reason for this is that pen testing teams may not want their methods known. There is no magic formula for pen testing—each environment is different and requires a combination of skills, tools, and creative thinking. Pen testers and pen testing teams discover and develop unique techniques and methods that they may prefer to keep quiet so they can have effective means of carrying out their assigned tasks. The dominant reason for not publishing information is that it creates a security hazard that can affect anybody with an internet connection. While pen testers are using the knowledge of how to evade barriers for the sake of improving security, there is no guarantee and whoever reads it is a pen tester and not a threat actor. These malicious parties would happily use this to get into a system and wreak havoc.

This leaves the challenge of how to stay up to date when pen testers can’t widely share information. Investing in enterprise pen testing tools like Core Impact can often provide a new knowledge base that is regularly updated with new tactics as well as exploits to take advantage of new vulnerabilities that have been published. Ultimately, it’s important to keep in mind that what works today, may not work tomorrow. Even if there were more outside sources, you would want to keep trying new techniques, innovating, and utilizing the latest resources in order to stay not just up to date, but hopefully one step ahead of attackers.