The first time getting any type of penetration test as an organization can be intimidating. You’re not sure about the process, you’re not familiar with the company doing the testing, and you may not even be sure on what success looks like. Today, we’ll explore 5 tips for your first penetration test to help you prepare and understand what to expect.
1. Set Expectations for the Penetration Test Results
As this is your first penetration test, odds are the results could be ugly. It is extremely common for first time tests to come back with a lot of findings and vulnerabilities that need to be addressed. This is OK! This is why you are having a test performed in the first place and it’s the first step to improving your security posture. So not only do you need to set expectations with yourself, but…
2. Be Honest with Leadership
It’s also helpful to explain the process and potential results ahead of time to any management or executive leadership that are going to be involved with the testing process or receiving results. Maybe your leadership understands you need to start having testing performed, the leadership team has mandated the testing be performed, or you’ve just been able to get them to buy-in and give you the budget for the testing. Whatever the case, you want them to understand that some things will show up and that’s expected. It’s more important that you also go to them with an action plan and reasonable response than you bring them a clean report.
3. Consider a Re-Test After Your First Penetration Test
So there were some significant items that came back following your penetration test. A re-test, where the penetration testing team will come back in and validate the fixes/remediations you’ve put in place, can help exemplify your dedication to security through your response actions. Additionally, this will allow the reports to be updated to reflect these fixes and better tell the story of your organization’s security program.
4. Be Available During Testing
Make sure that you or another emergency contact are available during the testing window. This will be your only responsibility during the active testing window, in order to address any access concerns or questions that the penetration testing team may have. There are instances where credentials need to be reset, security devices are blacklisting our testing IP addresses and not allowing testing activities, or even very critical vulnerabilities discovered that may require your attention and/or assistance. As part of the Rules of Engagement, the test team will share contact information with you and explain some of the scenarios where they might reach out.
5. Continue Conducting Penetration Tests
Don’t get complacent and think just because you’ve checked the box and had a penetration test that you’re all set. This type of testing is a point-in-time assessment and you’ve got to keep it up on at least an annual basis to continue understanding and controlling your risk. Technology is constantly changing, your organizational systems and architecture are changing, and just because your security posture was solid this time around, a lot can change in a matter of a year.
Penetration testing can seem daunting and intimidating, but using these tips for your first penetration test and some proper planning, it can be a great way to better understand your security posture and improve security for your organization. If you communicate effectively with stakeholders in your company and your penetration testing team, you’ll find that it can be a simple process and the experience can be rewarding. If you have any questions or would like to get started, please contact us today!