Penetration testing (or pentesting) is one of the most effective means of unearthing weaknesses and flaws in your IT infrastructure. It exposes gaps so you can plug them before a malicious party takes advantage. Whereas the benefits of pentesting are clear, a pentest is only as effective as its planning and execution.
Substandard pentesting will not only yield results that add no value but could also endanger the very infrastructure it’s meant to help protect. Before you run a pentest or commission a third party like Emagined Security to do it for you, beware of the most common mistakes testers and businesses make. Here’s a look at some of these.
5 Common Pentesting Mistakes
Disregarding Professional Ethics
A pentester must put themselves in the shoes of a real hacker if they are to model and run scenarios that mirror the real world. But that is the only thing that a tester should have in common with a cybercriminal. Importantly, the pentester should leverage their technical ability to improve security while subscribing to the highest level of ethics.
During the test process, the pentester will likely gain access to sensitive corporate information. They’ll also become aware of the potential loopholes an attacker could use to break through the organization’s defenses. It would be a grave error if they were to disclose or utilize these privileges outside the boundaries of their authorization.
Testers must hold sacred the great trust the target organization has bestowed on them. They must subscribe to the principles of legality, confidentiality, and privacy at all times.
The pentester aims to identify gaps in the system. Whereas they are paid to break the rules, this has to be done with pre-authorization and predefined terms of engagement.
Testers can get overly enthusiastic in demonstrating their skills and thus lose focus from their primary objectives. They may crash a critical system by going beyond what they are permitted to do. This can be especially destructive if part or all of the test is conducted in a live production environment.
Rules of engagement must be disseminated to all involved and any aspects that are unclear discussed beforehand. The rules would include scope, systems covered, systems excluded, types of tests, timeframe for testing, and escalation procedures during emergencies.
Not Properly Safeguarding Evidence
‘Trust but verify’ is the golden rule of auditing. This could very well be applied to pentesting too. Like all techies, pentesters sometimes perceive the capture, retention, and documentation of evidence as a distraction. If you offer no evidence to back up your test report, it’ll be difficult for decision-makers and other stakeholders to accept and act on your claims.
From the start, determine what evidence you need to capture. At the minimum, this would include the exploited vulnerability, timestamp of the exploit, unauthorized actions you could perform, number of unsuccessful attempts, and any breach detection that occurred. This evidence is the foundation of a fact-based pentest report.
Over-Reliance on Tools
Enterprise IT infrastructure is highly complex. It’s virtually impossible to run a substantial pentest today without some reliance on automated tools – from applications like Wireshark that quickly scan targets and traffic, to solutions such as Metasploit that streamline the development of custom exploits.
The range of tools at a pentester’s disposal is vast. So much so that one would be tempted to sit back and let these solutions do all the work. But tools are only as useful as the skill level of the person who wields them. Tools should never lead a pentesting program. Instead, they should implement the concepts, ideas, and plans the tester has already thought through.
Failure to Recognize the System is Indeed Secure
The focus of a pentest is not to achieve intrusion by all means. Instead, it’s to assess how protected the infrastructure is from the methods cybercriminals would use.
Ergo, if you run an exhaustive test that doesn’t result in successful intrusion, that shouldn’t worry you. It’s ok for the test findings to conclude that the system is secure. Many rookie pentesters lose sight of the greater goal and go all out to prove some gap exists.
The road to becoming a top-notch pentester is years-long. Achieving expertise is contingent on minimizing the number of mistakes you make. Recognizing these pentesting mistakes is essential to getting your tests consistently correct.