Running a first (or even your 100th) Pentest can be a daunting experience. This Penetration Testing Best Practices Checklist is here to help you prepare and run an effective pentest.
Define the pentesting scopeBefore
As your resources are most probably limited, whether it is time, budget or expertise, define the scope of the pentests you would like to perform. Based on the previously threats list or risks map, determine in which areas vulnerabilities if exploited will most likely hit your business directly or indirectly (e.g: loss of revenue if web application is down, damage to your reputation following user data theft…)
Determine a budgetBefore
There’s the $50 “script-kiddie” on Fiverr and there’s the hundred thousand dollars pentest. Your budget is an important discriminating factor and it has to be aligned with your objectives and the value of your assets. Eventually, you end up getting what you paid for (in most cases…). If you are looking to find critical vulnerabilities in a very complex architecture or if you are interested in reassuring your customers with a big brand by putting a seal of approval on your security practices; you will need to pay the price.
Enumerate likely threatsBefore
If your pentest goal is about uncovering vulnerabilities then you need to perform a risk assessment of your business. You don’t need to be a security expert to reflect on this. Just think about the places that can hurt you the most. Are you collecting sensitive data? Are you running legacy applications? etc.
Freeze developments in the pentest environmentDuring
The value of pentests is to test the system as a whole and not individual bricks of it. Pentests will uncover vulnerabilities within a context. If you change that context by deploying patches or new packages or changing hardware components, the results of the pentests could not be valid anymore. Unless you need to fix a critical customer bug, refrain from any release during the pentest duration. The security auditors are working with time limits, as opposed to most attackers, and are cutting corners to get their results. If you fix the issues they are exploiting, you make them waste their time, and thus your money.
Know your pentestsBefore
Internal pentest vs. External pentest. Security audit vs. vulnerability assessment vs. penetration test vs. private bug bounty etc. The wordings can quickly become very confusing. Make sure you are aware of the different terminologies and use them properly to make sure you get what you want.
Learn more about the different terminologies:
Launch scanners beforeBefore
Pentests will reveal the ugly truth about your systems or your applications. However, if you already know some of your vulnerabilities and basic issues, take the time to run scanners and fix the issues instead of wasting valuable pentesting time and energy uncovering what you already know or could know with other automated tools.
Notify your hosting providerBefore
Inform yourself about which tests are allowed by your hosting or cloud provider, and request the appropriate authorizations before the tests.
Prepare the pentest environmentBefore
Pentests can and should be conducted on production environment, however certain limits should be set for the testing team. The most obvious one being never to run DoS attacks or fuzzing on production. If testing cannot be performed on the production environment, set up an environment that is absolutely identical to production and create user accounts for the pentesters, depending on the decided testing style. If the tests need to be done on production directly, schedule them in such a way as to avoid slowing the network response time for the company and your customers.
Review the organization’s security policyBefore
As regulations are more and more stringent, make sure to be compliant with the security policies and regulations especially when it comes to sensitive data handling.
Why are you even doing a pentest?Before
The first question that one needs to answer is about the goals of the penetration test. Penetration tests can take several forms and can solve a lot of different problems (improving security, ensuring compliance, making some customers happy etc.). Make sure you are clear on the objectives. A pentest might not even be the right solution to your problem. Outcomes alignment with objectives is key to having a successful pentest.
Define pentest methodologyBefore
Based on your target environment and objectives, define the testing style and the access that will be provided to the testers: no access to simulate external attacks or full access to simulate insider job. If you are relying on external testers, ask them what their methodology is and ensure your objectives are met. If you are doing the pentesting internally, make sure it is aligned with security frameworks and consists mainly of manual advanced testing and not only automated.
Define pentest report formatBefore
Get a sample report to familiarize yourself with its content and ensure the metrics and content covers your objectives and areas of interest. If you have a risk management system and you want to integrate the findings in it, you might also want to ask the pentesting company for a CSV or XML format in addition to the PDF report they will deliver.
Do not forget to cleanup the pentesting environmentAfter
The auditors should clean up the tested environment. This typically includes removing rootkits, backdoors, executables and scripts as well as any temporary files created. The user accounts created for the pentesters should be removed as well. If data were modified or deleted or if settings were changed, everything should be reconfigured back to its original state.
Find the right pentesters for the jobBefore
Finding good pentesters should be done via recommendation. Ask your friends, colleagues, investors, or even Hacker for recommendations. Make sure the suggestions fit with your objectives. Hiring pentesters without a strong recommendation and reputation is probably a no-go. Also, make sure that you have the right experts for your target domains: if you are looking to pentest your network you need a pentester that specializes in this field. An expert will know how the systems are built and their common weaknesses.
Schedule for a next pentestAfter
As your systems evolve quickly, the penetration test findings will soon be outdated and other vulnerabilities created. Some companies schedule to perform penetration tests regularly, such as once a year. You will need to figure out if pentests are the right tools for your needs and how often will you need to run them (depending on your applications release frequency, hardware and network upgrades, etc.)
The more trustworthy the company, the more trustful your clients are gonna beBefore
Pentests are tools to uncover vulnerabilities but they are also reassuring your clients. So if you are going the extra length as to hire a pentester, you might as well get a good one. Remember that you will mostly get what you paid for. If you hire cheap, you will most probably get sloppy work. Check the pentesters credentials and talk to previous clients if possible.
Closely monitor your exception toolsDuring
Ask your team to pay extra attention to exception management and error handling systems as they will provide valuable information on the pentest impacts. Your team should be kept up to date on the current pentests to be able to discern if the errors come from usual user activity or as a result of the pentest.
Implement a logging solutionBefore
Logs are the most precious assets to monitor the environment and to investigate a suspicious activity or a security breach. If you don’t already have a logging solution set up, a centralised log platform enables to make the most out of the analytics capabilities and provides a view across all themes (applications, network, users, etc.). It will be useful in registering pentests activities and impacts on your systems and applications.
Implement a security monitoring solutionBefore
Security monitoring solutions are part of your security arsenal, you should implement them before embarking on the pentests. The pentesters will, by the way, be interested in knowing how far they could go until being detected by the Intrusion Detection Service (IDS) for example. You can use tools like Sqreen to prevent data breaches, protect your customers, stop business logic attacks and get full visibility on your security.
Monitor your security monitoring toolsDuring
Your security monitoring tools should pick up the activity from the pentests. However, you might have real attacks occurring at the same time. Make sure your team is up to date on the performed pentests to be able to distinguish the attacks.
Check your team members attitudeDuring
Pentests are not light exercises, they should be taken seriously, make sure your team is aware of their importance. However, make also sure that your team is not unnecessarily stressed out by them or taking the tests as a bad reflection on their job, but is rather open to improvement recommendations.
Communicate with your managerDuring
Cybersecurity is increasingly taking center stage within the companies, since they became aware of the serious impacts on the business. Consequently, security tests are often a big deal all the way up to the CEO and the board who are attentive to the projects and waiting for the results. Without being technical, be transparent and report regularly on the progress so that they are not surprised by the final report. Identify beforehand some key indicators you could consistently report on so that the board members can follow the trends between the presentations.
Communicate with your teamBefore
Tell your team a security test is going to be performed. You may gamify this and play to see how long they take to find out the pentest has started. You should also communicate the test ending date. Also, set up a communication channel between the pentesters and your team (yourself included) to ensure communication during the pentests goes smoothly and information do not get lost in translation.
Make sure you are availableDuring
Pentesters will have questions during the tests, and will need to discuss with you the leads they are pursuing. Appoint a single point of contact within your team and make yourself available for the critical questions. You should schedule regular quick meetings to understand their progress (if they are lost or steadily advancing). They have limited time and to make the most out of this pentest, you should help them.
Allocate resources to fix vulnerabilitiesAfter
You probably would like to assign a dedicated taskforce to tackle the vulnerabilities uncovered. Make sure to allocate sufficient time and appropriate expertise for this task. Use Sqreen to get a Stacktrace on the identified vulnerabilities and fasten the remediation cycle.
Do not patch vulnerabilities during the testsDuring
Ask the pentesters to inform you on the most critical vulnerabilities during the test, but don’t patch them right away as you would be modifying the pentest environment, rather use the time to define a fix and schedule it to be rolled out as soon as the pentests are done and the results are understood.
Ensure you have an uncorrupted backup of your data and system configurationBefore
There is a risk that the pentest knocks down your systems, and deletes or modifies your data as any real attack would, so you should make sure that you have backups ready should this happen. No professional pentester can guarantee that there will be zero risk of system failure or data deletion and modification, especially if the testing takes place in production environment.
Make sense of the pentest reportAfter
Once you receive the pentest report, share the technical version promptly with your team. If you have trouble understanding it, call the security auditors and do not hesitate to request a clarification meeting should you still have trouble (that’s OK, these guys are security auditors, not professional writers!). Ensure the report is understood by your team. If it isn’t by everyone, organize a test session to reproduce the issue with the team (at Sqreen, we call it hack nights and it comes with beers & pizzas).
Make sure you got alerted about the critical attacks during the pentestAfter
Scan the report to make sure you were informed about all the critical attacks performed during the tests and what their impacts were. These attacks might have uncovered critical vulnerabilities, but could also have impacted your system and modified or deleted your data.
Prioritize the report findingsAfter
The auditors will sort the vulnerabilities given their technical criticity. Review this prioritization to ensure it is also compatible with the business direct or indirect impacts. You can use Sqreen to easily differentiate between real vulnerabilities and false positives.
Re-test after the fixAfter
Some pentesting contracts can offer a re-testing phase at no additional cost after the vulnerabilities have been fixed to validate that the remediation effort has been successful. It is useful to re-test in order to close the findings and ensure the remediation actions did not open other vulnerabilities.
Start reserving time for after the pentestDuring
Make sure you and key people from your team will be available after the pentests to study the report and fix the vulnerabilities uncovered by the pentests.
Adapt your processes to make sure vulnerabilities do not occur againAfter
The pentests should have long-lasting effects in your company. They uncover vulnerabilities in the systems but they should make you question why those vulnerabilities occurred, since they are only symptoms and not root causes. Take the time to reflect on how you could improve your processes to avoid similar vulnerabilities in the future.
Create training and update onboarding and offboardingAfter
Take the time to understand the lessons learned from the pentests, and include them in the employees training curriculum, whether they are technical or non-technical employees. Make sure to update employees onboarding and offboarding packages and processes as well.
Evaluate penetration testing effectivenessAfter
Have the pentests achieved the goals you set? What could have been done differently/better? The frustrating part about penetration tests is that when they find vulnerabilities, it is bad news, but the absence of discoveries does not mean absence of vulnerability. Do not judge the pentest by how little or how many vulnerabilities were uncovered.
Make sure your Incident Response Plan covers the uncovered vulnerabilitiesAfter
Review your Incident Response Plan in light of the findings to ensure it is well prepared for the vulnerabilities. Update the plan if needed, with detailed procedures and roles and responsibilities. Make sure to communicate it to your team and other stakeholders within the organization and schedule simulations training.
Review the vulnerabilities to ensure they have not been exploitedAfter
Use the logs to investigate if the uncovered vulnerabilities have been exploited. If that is the case, you should find out the extent of the damage done, report on it to your manager and take appropriate remediation actions.
Review the vulnerabilities with the teamAfter
Some vulnerabilities uncovered by the pentesters within the scope of the pentest could exist in your other systems. Reflect with your team to find out if similar vulnerabilities can exist elsewhere and if you could fix them simultaneously.