Does External Penetration Testing Need to Be Conducted “After-Hours”?

One of the questions we often get when scoping out external penetration tests is “Can this testing be conducted after-hours or outside of regular business hours?” And while the answer is always “yes, we can do that,” some organizations aren’t aware of the trade-offs and risks here, so they may be signing up for a more expensive assessment when they don’t really need to. We are always happy to explain the pros and cons here on scoping calls as they pertain to your specific situation, but let’s dive into some of the factors that could influence this decision.

Concerns About Pen Testing

For a lot of organization’s, I think most of the concerns here come from a fear of the unknown. If they haven’t had a penetration test before or haven’t had our firm conduct a penetration test for them, they’d like to play it safe rather than sorry. The last thing any security or IT leader wants is to be the cause of any kind of outage or loss in revenue for the business. So while scoping out a penetration test, and we’re talking about external penetration testing in particular here, they want to restrict testing so that nothing is done during regular business hours to avoid any chance of a serious disruption. If the penetration testing team happens to take down a system or lock out a key account, there is plenty of time to get everything restored before any significant impacts are felt.

Additionally, maybe you’re just concerned about the overall load that’s being put on your organization’s exposed servers, since you may not be familiar with the kind of testing tools or scans that are run during a penetration test. After-hours testing can ensure that these automated tools are only being run during low-traffic time periods. It’s not ridiculous to want to lower the overall risk associated with an assessment, as that’s how security people tend to operate. But running a penetration test after-hours does increase the overall cost of the assessment for your organization.

The Real Risk of External Penetration Testing

Now I can’t sit here and tell you that there is no risk associated with a penetration test. The engineers assigned to test your organization are trying to emulate real world threat actors and the types of attacks your organization is likely to face. Their ultimate goal is to gain access to your organization’s network and/or sensitive information while identifying all possible vulnerabilities on your assets that are exposed to the Internet. In order to do this, there is some risk associated with running software exploits, conducting password attacks, or even just launching automated scans to start an assessment.

In general though, the level of risk here is extremely minimal. Here are a few factors when considering whether after-hours testing may be necessary for you:

  • These systems are already exposed to the Internet. If you’ve ever monitored logs of Internet-facing systems before, you’ll see that attacks are being thrown at these systems, they are being scanned, and password attacks are being attempted on login interfaces regularly. If these haven’t caused issues, a penetration test likely won’t cause any problems either.
  • Penetration testers are much more courteous than actual adversaries. Experienced penetration testers understand how to balance the need to provide a realistic and thorough test with the importance of availability for a business. We’re not going to launch attacks with a high likelihood of disruption, we’re always going to avoid account lockouts where possible, and we’re not going to launch denial-of-service attacks.
  • Automated scans are a small part of an external penetration test. A lot of people seem to be worried about the volume of “scans” we run during an assessment. These tools really don’t generate a ton of traffic and run in a throttled manner, limiting the number of concurrent requests to a host. While this can certainly cause problems for sensitive or old systems (we request that you consider this and let us know about any potentially sensitive systems during our Project Kick-Off Meeting), you’d likely already be having issues if these devices are exposed to the Internet.
  • If a penetration testing does cause any problems for your systems/networks, there’s a likely a problem you want to know about. As these systems are already exposed to the Internet, if we take any action that causes availability issues, there is very likely an associated vulnerability or misconfiguration that needs to be addressed.

So while there are certainly industries, organizations, and situations that would merit after-hours penetration testing, you may want to consider the factors above before springing for a more expensive assessment. The vast majority of the time, clients don’t even know we’re there when we conduct an assessment and gain access to the internal network or sensitive information. It is a good time to review your logging and alerting infrastructure, however, to help you understand what kind of attacks you might see as a penetration test is being conducted. Overall, there’s no right or wrong answer here. We always want to arm our client’s with all of the data they need to make an informed decision on what’s right for them, but we’re always happy to discuss your situation in more detail, so feel free to reach out!