Rob Behnke
December 9th, 2021
This article is part of blockchain security firm Halborn’s series on penetration testing. In previous articles, we discussed what a penetration test is and why your company needs one. In this article, we explore some of the most common penetration testing mistakes and pitfalls.
Penetration testing can be an extremely effective means for organizations to identify and correct security issues within their environments. However, companies make several common mistakes when undergoing a penetration test. Here are 5 common penetration testing mistakes that companies make:
Most penetration tests occur in response to some security event. A company may need a penetration test to close holes after a cyberattack or to meet the requirements of a data protection regulation.
Often, penetration tests against production environments are already “too late”. The vulnerabilities that the penetration testers discover have already been accessible and potentially exploitable by cybercriminals for some time.
Also, if a company has fundamental security issues, building on top of them makes them more expensive and difficult to solve.
Moving penetration testing earlier in the lifecycle makes it easier and cheaper to fix mistakes.
Companies should undergo frequent penetration tests to ensure that its hardware and software are secure and configuration settings are correct, rather than waiting to pen test when something has already happened.
Penetration tests are designed to uncover vulnerabilities in an organization’s software and systems. By identifying these vulnerabilities, pen testers give organizations the ability to close their security gaps and make their systems more secure against cybercriminals.
Often, companies have a long list of vulnerabilities in their systems, requiring some prioritization for penetration testing and patching efforts. One way of prioritizing where to look for vulnerabilities and which ones to fix first is vulnerability severity.
The Common Vulnerability Scoring System (CVSS) ranks vulnerabilities on a scale of 1 to 10 based on the potential impact that they can have to an organization. Penetration testers and their clients may focus on identifying and fixing high-severity vulnerabilities first and work their way down from there.
However, this approach misses the greater context around these vulnerabilities. Within an organization’s network, not all systems are created equal. Some systems, such as database servers, are more valuable to the business and attackers than others, like employee workstations.
Penetration testing and vulnerability patching efforts should take severity into account but only as one factor contributing to business risk. Before performing a penetration test, the organization and testers should rank systems based on their business risk and prioritize testing and remediation based on this assessment.
Penetration tests are commonly a careful balance between realism and stability. On the one hand, the customer needs as realistic a simulation as possible to identify the various cybersecurity risks within their environment. On the other hand, most customers don’t want the penetration testers to break their systems and render them unable to do business.
As a result, most penetration tests have a clearly-defined scope. These scope limitations tell the testers what targets and types of testing are “fair game” and which are off-limits.
However, penetration testing scopes are often too limited and disallow the very threats that an organization is most at risk of experiencing. For example, social engineering attacks, such as phishing, are commonly out of scope for penetration testing. At the same time, they are also some of the most common cyberattacks and pose significant risks to the company undergoing the engagement.
Penetration testing scope limitations may be necessary in some cases, but they also undermine the realism and value of the penetration testing engagement. In the short term, penetration test customers should only impose scope limitations for attacks that threaten their ability to do business, not those that could be embarrassing and that they lack protections against (like phishing).
In the long term, these companies should work to improve their business continuity strategies so that they can maintain normal operations even if something breaks during a penetration test or real cyberattack.
Penetration tests are designed to help organizations to identify and fix vulnerabilities within their systems. At the end of a penetration testing, the customer receives a report detailing the actions performed by the pen testing team, their discoveries, and recommendations for remediating these vulnerabilities.
Companies are expected to work through this list of discoveries and perform patching, updating, and other actions to fix the problem. The issue arises when a company completes the pen test checklist and considers the problem solved.
Vulnerabilities and security issues in an organization’s systems don’t arise from nowhere. Whether it’s insecure coding practices, poor change management, or other issues, something went wrong to make these security gaps possible. And, unless this underlying issue is corrected, then the symptoms (vulnerabilities, configuration issues, etc.) will keep on occurring.
Fixing the issues included in a pen testing report is an important step, but it should only be the first step in the process. Companies should use this information as a starting point to identify and correct the underlying security issues that made the problems possible.
Penetration testing is designed to emulate real-world cyber threats to an organization. Often, this means that penetration testers begin the engagement with no knowledge or access to the target environment (i.e. a “black-box” approach). This is designed to simulate a fully-external threat and to eliminate the biases that may be created by insider knowledge of the target environment.
However, a pure black-box approach to penetration testing has several different issues. The first is that advanced cyber threat actors rarely start their attacks with zero knowledge of their targets. Often, hackers perform in-depth reconnaissance on their targets using more time and resources than is available during the preparation for a standard penetration testing engagement. Providing the penetration testers with some knowledge and access can help to better simulate these advanced cyber threats.
Another issue with a full black-box approach to penetration testing is that it doesn’t take into account business risk and existing security testing. Black box penetration testers evaluate the security of what they can access during the test, which may involve duplicated effort or overlook critical assets. Penetration tests are more effective and valuable to the customer if they are more targeted.
Penetration tests can go wrong for a variety of different reasons, and failed pen tests can leave a company with a false sense of security. A well-designed and well-executed penetration test provides an organization with insight into its vulnerability to a particular type of cyber threat. By performing penetration tests regularly, an organization can dramatically improve its insight into its current security posture and decrease its vulnerability to cyber threats.
Blockchain security firm Halborn is trusted by leading companies to plan and execute penetration tests against their organizations and ensure that they are protected against cyber threats. To learn more about Halborn’s penetration testing services and how we can help your company, reach out to our pen test experts at halborn@protonmail.com.