In this two-part blog series, we are looking at what you can expect after a penetration test. More specifically, what basic steps should you follow once you receive the report to start fixing the vulnerabilities uncovered. In the previous installment, we took a look at understanding the penetration testing report and coming up with an initial game plan. In this blog, we will look into getting organizational buy-in, starting the fixes, and validating the remediation efforts.
Organizational Buy In
After you have the initial game plan in place, it is time to present both the results of the penetration test and your proposed plan for remediation to upper management. Showing upper management that you have a plan in place is a vital step to show that you are being proactive and to help ease the shock of the report, especially if the results uncovered significant issues. With that being said, don’t be afraid to present the penetration testing report in full. If needed, we’re always happy to present the results of an assessment to your management with you. It is important not to hide things or try and sugar-coat anything because this can lead to problems down the road. There are two important things to consider here. First, your management is ultimately responsible for the security of the organization so they need to fully understand all of the risks. Second, hiding things will make it harder to get the resources and buy-in necessary for remediation.
Many of the changes required to fix the vulnerabilities found in a penetration test will require resources which in turn require management buy-in. This may be in the form of additional budget to pay for security controls or tools that are needed. It also might be a free change that requires organizational changes or cultural changes. For example, you may want to increase your password policy, an infamous battle in security, but your users don’t want to have to type longer passwords. Before making these changes, you need your upper management’s buy-in to help you get the backing you need for unpopular changes.
In addition to upper-management buy-in, it is important to get buy-in across the rest of organization, as well. We recommend using awareness training to educate employees about the risks you are facing and the associated security controls. We also recommend using screenshots from the penetration testing report in your awareness training where it makes sense, especially if you had a social engineering assessment performed. As Smokey the Bear says, “Only you can prevent data breaches” or something like that. Security is everyone’s responsibility and you need the organization to be aware and to know what changes to expect as part of the remediation efforts. This will help them understand why these changes are necessary and help make these changes as seamless as possible.
Update the Game Plan
After meeting with upper-management, it is likely that your initial game-plan will need some modifications. Upper management is in a better position to understand the business and operational side of the house, so they may choose to accept some risk, expedite certain fixes, or modify the approach you take to fix certain vulnerabilities. Therefore, you will likely need to spend some time after presenting the plan to update and change it based on the discussion. Once the changes are made, ensure to get a final sign-off on the plan, as it will help get everyone on the same page and prevent further changes to the plan down the road.
Start Fix Actions
After we have a plan in place, it is now time to start executing the plan. Understandably, this is likely going to be the longest and most complex step in the process. As such, go ahead and schedule regular update meetings to review the progress and ensure the plan is being followed. Ensure every remediation action has an owner, who is responsible for tracking and implementing the fix. Additionally, if you use help-desk tickets, creating tickets is a great way to track progress. If you don’t have a ticket system, you may want to use the technical findings report we provide to track progress. Add columns about expected fix dates, status, and remediation notes. Combining a tracking system with regular progress meetings will help ensure you are on track and fix items do not get lost in other day-to-day security operations.
Validate Fix Items
Whenever an item is fixed, it is important that you test the fix to ensure that it properly mitigates the risk of a vulnerability and that new vulnerabilities were not introduced. This can be done in-house if your engineers are comfortable with the initial finding and know how to test it again. Alternatively, you can use the firm that performed the assessment or some other trusted third-party to retest the findings and ensure they were properly fixed. This may be necessary if you are performing the initial penetration test for compliance or a third-party customer approval.
In this two-part series, we explored what to do after a penetration test, how to go about making a game plan, and how to track/validate fixes. This will help ensure your security posture increases year after year. At Triaxiom, we want to partner with you to better your security. This means if you need our assistance at any step in the process, please reach out to us.