Customize Pen Tests to Your Organization
August 17, 2016
25 min read
These days, there are many reasons for the average emerging growth organizations to conduct a penetration test.
It could be a requirement from a potential new customer, as part of a regulatory audit, or to understand the risk profile of your technical environment within a self-driven assessment.
At CISOSHARE, our services often become the entire security program for our customers. We have defined, scoped, managed, and performed thousands of penetration tests and associated assessments. Below are some simple tips to get the most out of assessment in your environments.
Set an Objective for Your Pen Test
Many sponsors of penetration tests believe that the objective of their examination is just that: To perform a penetration test.
This is like saying you want to eat at a restaurant, but any restaurant will do. If gone unchecked, which is often the case, this creates a perfect opportunity to both overpay for an assessment and/or perform an assessment that won’t meet your objective.
So if you are performing an assessment to satisfy a customer request, you should limit the scope of the test so that there are only a minimum set of findings.
The reason for this is that customer requests often only check that 1) you performed a test recently, and 2) that you have or have a plan to remediate the findings in short order. So keep the test short and simple.
On the other hand, if your objective is to meet a regulatory requirement, ensure the scope is focused on the requirements of that specific regulation. For example, if you are performing an assessment to meet HIPAA regulations, ensure that the focus is on testing the systems or applications that house Protected Health Information (PHI) data, which is what HIPAA cares about.
Finally, if your objective is to get an internal perspective of the risks in your environment, narrow your focus in this area as well.
For example, if you are most concerned about internet-based attacks, narrow your scope to just Internet-facing systems. If you care about insider threats, just apply those testing elements.
If you have no clue but want to get a peak about your environment, start with a small assessment in one area versus going large and getting 75,000,0000 findings back.