About 95% of the time, penetration tests are completed without any issues occurring. An experienced penetration tester will have conducted hundreds of assessments on a myriad of networks, and will know the common pitfalls to avoid. A skilled tester will work diligently to evaluate the risk to your network, while protecting your systems and keeping production systems available at all times. With that being said, in a minority of cases, things can still happen, even with an experienced tester behind the keyboard. Today, we look at some easy steps you can take to help prevent problems on a penetration test.
Prevent Problems on a Penetration Test
Although very rare, problems can occur in some cases despite your best efforts, but there are numerous things you can do to prevent issues and ensure a smooth penetration test. Let’s discuss some of the most common ones below.
Update or Identify any Old Systems
It is quite common for organizations of any size to have older systems or applications on their network. It seems there is always that one application the accounting department needs to do their job, and it can only run on a Windows 2000 system with a dot-matrix printer. You know which one we are talking about. Simply put, unsupported and outdated operating systems are no longer receiving patches. Over time these systems will become less and less stable. So when a penetration tester runs a basic enumeration scan against it, the system decides to quit. At the same time, these systems are likely your most vulnerable and a very likely path the attacker is going to take when attacking your network. Therefore, if possible, update these systems to the latest, supported operating system and patch them. If it is not possible, you should identify these systems in the Rules of Engagement (ROE). If you can, it is important to evaluate the risk of this system on your network. Because of this, work with your penetration testing team, and ask them to only test this system during a certain time window where a disruption is more tolerable. Be mindful that conducting an entire test after hours usually will add cost to your penetration test, but depending on the firm, asking for one or two systems to only be exploited after hours will be no issue.
Speaking of Dot-Matrix Printers, it is a good idea to give the penetration testing team a list of IP addresses for your printers. Most modern vulnerability scanners have the ability to avoid printers when scanning a network, however, it is not very reliable and will sometimes scan them anyways. Printers are notorious for misbehaving on a penetration test. Some printers even have a port open on the network, that will print anything that goes to that port. I guess that makes printing easy, but a single vulnerability scan of that port will go through an entire ream of paper. To make life simpler, give your testing team a list of the printers on your network, and they can test these manually to avoid wasting paper and/or bringing the printer down.
What systems must be available?
In many organizations, there are certain systems where availability is absolutely critical. These might include SCADA systems, systems that control billing, commerce sites where all the business comes through. In any case, these systems need to be identified so the penetration testing team knows to proceed cautiously. Additionally, for these systems, they may need to be tested only after hours. Make sure that is clearly spelled out in the ROE. Finally, if it is a web application, it might be better to take a mirror of that website, and have the penetration test performed on a mirror application instead of the primary.
What forms generate data?
For all of your websites in scope, identify any form that will generate processes. For example, identify any contact us forms. A seasoned penetration tester will manually review the website prior to performing any tests or scans (check out our web application penetration testing methodology), however, occasionally it is hard to determine which forms will generate emails or work processes on the other end. In order to evaluate each form effectively, a penetration tester will supplement his manual review with an automated scan. This scan will test for common vulnerabilities, and will try to evade any protections that may be in place. In the process, this scan can and will generate thousands of forms. Sometimes, this means that your helpdesk gets a thousand new user requests or contact us requests. In order to avoid this, ensure that you provide your team with the forms to avoid automated scanning. If possible, allow the team to manually test these forms, which will generate 10-20 submissions.
Any other Concerns?
Bring them up with your penetration testing firm on your kickoff call. This is the call to get everyone on the same page before the project starts. If there’s something else you think should be included here, feel free to reach out and let us know!