What to Look for When Contemplating a Penetration Test for your Organization
Seeking Clarity
Having consulted for, and conducted penetration tests for multiple organizations, we have observed what is considered a penetration test varies greatly among security practitioners. We have seen many clients who were sold a vulnerability scan when they thought they were getting a penetration test. These clients were not receiving the full benefits of a comprehensive penetration test.
In-depth penetration tests deliver key insights and value. If the following key elements are missing from its execution and output, a penetration test is likely not living up to its name.
The Top 3 Differentiators
1. Open-Source Intelligence
A complete penetration test should include open-source intelligence (OSINT) efforts. Knowledgeable penetration testers can find sensitive data on the internet you didn’t know was publicly available. Here are some real-world examples of what we’ve found using these tactics. All examples were able to be exploited without prior knowledge or access to the environments:
- Over 30 gigabytes of PII in a single cloud storage instance
- Passwords for root access to banking machines, found in public PDF documents
- Credentials for production databases in public software repositories
- Valid Active Directory credentials found in data breaches alongside users’ personal email addresses
2. Active Directory Attacks
For organizations that rely on Active Directory, running a vulnerability scanner against Windows computers is not enough. When penetration tests don’t include Active Directory (AD) analysis and attacks, serious issues go unnoticed. Any one of the following vulnerabilities can help an attacker take over an entire AD domain:
- Accounts that can add themselves to the Domain Admins group at any time
- Accounts with easily guessable or “crackable” passwords
- Domain Admin credentials stolen after logging into a compromised computer
- File shares containing sensitive data, accessible to everyone on the network
3. Different Reports for Different Purposes
Technical teams, executives, and third parties may all need to know about the findings of a penetration test, but they all act on the findings in different ways. We have found that when penetration tests are delivered in different formats, tailored to their intended audience, the utilization of the information becomes optimized. While ease of use is important, simplification and limiting content is just as important to ensure usefulness. Some examples of tailored reports include:
- A main report full of detail for internal teams responsible for remediating findings (can even be split based on zones or applications)
- A data-centric report, optimized for opening tickets
- An executive summary to summarize the engagement for internal use
- An engagement summary useful for auditors and other third parties
Seiso is an information security consulting company based in Pittsburgh, PA. We focus on helping you build genuinely usable, evidence-based and audit-ready information security programs that drive the maturity of how you protect your business; and ultimately meeting your compliance obligations.
Download our whitepaper to see how we go about building security programs that operate in harmony with your business.