Pentesting: Tips, why you need it and mistakes to avoid

Pentesting (also known as penetration testing), is a critical cyber security assessment businesses undertake to help them understand the risks and vulnerabilities in their environment, and to test their defences. Depending on your infrastructure it can be quite a large and daunting process, so we’ve listed some top tips, mistakes to avoid, and how to find the right cyber security partner for your business.

Avoiding common pentesting mistakes

Risk prioritisation

The first stage is to identify and prioritise any risks. This will give your pentest structure and form a focus goal to get the best out of your results. Don’t forget to think about the worst-case/it-won’t-happen-to-us scenarios. By including this within your goals, your business will have an idea on how to proactively react and remediate in the event of this specific situation.

Tools – are you using the correct ones?

When businesses carry out their own pentests, often the wrong tools are getting used by internal IT teams, generating poor and inaccurate results. Internal IT teams don’t always have the knowledge or experience to carry out a thorough test. If in doubt of your internal skill set, it’s best to stick with an experienced provider that has wide coverage expertise.

Irregular pentesting

Don’t become complacent and assume that one pentest will mean you’re risk free. It’s only going to give you an analysis of your current defences. Your environment will change overtime, especially when you’re bringing in new technology. Pentesting should be maintained regularly to identify vulnerabilities.

Top tips: How to get the maximum value out of pentesting

Understand your environment and set goals

Step one is to understand your environment and why you’ve decided to carry out a pentest. What results are you looking for? It may be to meet compliance standards, to assess your security teams skills or you’re simply just looking to evaluate your defences. Either way, your partner will need to understand your current situation and goals to be able to carry out an effective test.

When setting goals, remember to be realistic in terms of budget and how much of your network can be tested. Cyber criminals will exploit any vulnerability found in any system, so don’t limit your testing to specific systems only.

Communicate to your provider if you’re looking to test specific threats. Some industries have targeted cyber security issues. A knowledgeable provider will have familiarity of this, but have the discussion with them to ensure granular testing.

Ensure staff resources are available during the test

When your partner carries out a pentest, they’ll involve your security team to discuss solutions. So before your test, ensure that the relevant people are available and onboard when need to avoid project delays and limitations in remediation suggestions.

Ask the right questions!

Knowledge is key, do your research beforehand, and don’t be afraid to ask questions. Here’s a few key questions you can ask before your test:

1. What certifications do your security specialists have?
2. What can I expect in the final report?
3. What does your pentesting methodology look like?
4. How will the pentest affect business continuity?
5. Do you offer post-test support and recommendations?
6. Will my company network and hardware be protected?

 Stay consistent with a reliable partner

If you were impressed with your partner the first time round, then stick with them for your future pentests. They already know your business and understand your environment by now, so why go through the trouble of finding a new one?

Best practices: Choosing a trusted pentesting provider

Ask for a sample report

You need to know what you’ve signed up for, so consider asking for a sample report to know exactly what to expect. A comprehensive report should include the following sections:

• A summary of threats and business risks which can be easily interpreted by non-technical staff
• A step-by-step process of what the pen testers carried out in the environment
• Detailed risk scoring to rank and rate the identified vulnerabilities
• Actionable recommendations to remediate threats

Understand their process

Find out exactly what your provider will be doing in terms of what tools and processes they will be using. This will help you define expectations and give you an idea of what the test will look like.

Find out what forms of testing they offer

Although your partner will recommend the best option for your business, its best find out exactly what types of pentests they offer. The 5 forms of pentesting are:

• Black Box Testing: Black Box pentesting considers realistic external threats to systems
• White Box Testing: This can also be known as internal testing. It assesses the business’s overall systems and their strength
• Grey Box Testing: The purpose of Grey Box testing is to assume that a hacker has access to sensitive information and the potential consequences to the business
• Blind Pentesting: A Blind pentest will mimic the actions of a ‘legitimate’ hacker and use publicly available information to test the security of a business
• Double Blind Testing: The idea behind this method is to keep internal teams unaware of an attack to observe how quickly internal IT/security teams respond to potential attacks

If you’re interested in penetration testing services, get in touch with our cyber security team today.