While everyone hopes that when they have a third party come in to conduct an external penetration test everything goes according to plan, the honest truth is that sometimes, that’s just not the case. There are a litany of issues that can pop up during penetration testing in general. While 95% of the time things go smoothly, you should be fully aware of what can go wrong when having an external penetration test conducted. If you haven’t already, check out our complete guide to external penetration tests for information on costs, what questions it answers, etc.
So… what are the potential issues and what can I do?
Systems can go down
This could be caused by a misconfiguration, an old server on the perimeter, or a particularly bad vulnerability. While good penetration testers will tell you that we’ll do everything in our power to prevent taking something down, there is always some level of residual risk with taking a black box approach and actively exploiting detected vulnerabilities. But you want us to do this, as we explain here! Whatever reason causes that particular system to crash is something that you want to know about, as anyone on the Internet could induce that crash.
What you can do: If there are any old or particularly sensitive hosts on your perimeter, let your testing organization know during the project initiation meeting, otherwise known as the kick-off call, when discussing the Rules of Engagement. If there are particularly critical systems that could cause significant harm to your business if they went down, consider having the testing on those performed after regular business hours.
This issue can occur due to failures or certain kinds of vulnerabilities. If there is a SQL Injection issue, placing a single quote into a field could modify or drop data in your database. You’d definitely want to know about this issue, but only after your rage subsided from potentially having to restore portions of your production database. Again, in anything but extreme scenarios, experienced penetration testers can avoid database modifications but the potential is there.
What you can do: Prior to testing beginning, it’s a great idea to double check your organizational back-ups and restoration procedures. I mean, I’m sure you’re doing that on a regular basis anyway, right?
We may find that you’ve already been compromised
There’s a great saying in the security community that there are two types of organizations out there, those that have been breached and those that don’t know they have been breached. While not every assessment, it has happened that we discover an organization’s assets have already been compromised when performing testing. I wouldn’t necessarily classify this as a potential problem but it’s important to understand that it does happen. Should this be the case, we will immediately stop testing and notify our contact about what we’ve found. We’ll help you in any way we can to resolve the issue, and once you’ve given us the ok, we’ll proceed.
What you can do: It’s a great idea to have a continuous monitoring process that looks at systems, event logs, and alerts on a regular basis to identify potential breaches and security incidents as soon as possible.
Now you’ve scared me, I’m not sure I want this external penetration test.
It’s not as bad as it sounds. As mentioned above, these issues don’t happen often. But with some proper planning and good security hygiene, you can help make sure they don’t happen to you. As penetration testers, we want to do everything we can to set you up for a successful penetration test and prevent causing any disruptions. After all, one of the major benefits of a penetration test is to find and fix issues before they cause problems for the business. It’s also important to understand that any disruptions that occur could have happened at any time since the targets being tested are on the open Internet.