How do you get the most value out of your penetration test?

These days, there are many paths for the average emerging growth organization, which lead to the need to perform a penetration test for the business. It may be a requirement from a potential new customer, as part of a regulatory audit, or to understand the risk profile of your technical environment within a self-driven assessment. At CISOSHARE, we often become the security program for our customers; we have defined scope, select, manage, and perform thousands of penetration tests and associated assessments. Below are some simple tips to get the most out of assessment in your environments.

Understand your penetration test objective

Many sponsors of penetration tests believe that the objective of their examination is just that: To perform a penetration test. I equate this to saying that you want to eat at a restaurant and then to say that anyone will do. If gone unchecked, which is often the case, this creates a perfect opportunity to both overpay for an assessment and/or perform an assessment that will not meet your objective.

So if you are performing an assessment to satisfy a customer request, I recommend that you limit the scope of the test so that there are only a minimum set of findings. The reason for this is that often this type of request will only look that 1) you performed a test recently, and 2) that you have or have a plan to remediate the findings in short order. Because of this, keep the test short and simple.

Conversely, if your objective is to meet a regulatory requirement, ensure the scope is focused on the requirements of that specific regulation. So if you are performing an assessment to meet HIPAA regulations, ensure that the focus is on testing the systems or applications that house Protected Health Information (PHI) data (what HIPAA cares about.)

Finally, if your objective is to get an internal perspective of the risks in your environment, narrow your focus in this area as well. For example, if you are most concerned about internet-based attacks, narrow your scope to just Internet-facing systems. If you care about insider threats, just apply those testing elements. If you have no clue but want to get a peak about your environment, start with a real small assessment in one area versus going huge and getting 75,000,0000 findings back.

Finally, if your objective is to get an internal perspective of the risks in your environment, narrow your focus in this area as well. For example, if you are most concerned about internet-based attacks, narrow your scope to just Internet-facing systems. If you care about insider threats, just apply those testing elements. If you have no clue but want to get a peak about your environment, start with a real small assessment in one area versus going huge and getting 75,000,0000 findings back.

Finally, if your objective is to get an internal perspective of the risks in your environment, narrow your focus in this area as well. For example, if you are most concerned about internet-based attacks, narrow your scope to just Internet-facing systems. If you care about insider threats, just apply those testing elements. If you have no clue but want to get a peak about your environment, start with a real small assessment in one area versus going huge and getting 75,000,0000 findings back.

Connect with us if you have an upcoming penetration test need, let us know how we can help you scope it or answer any questions.

 

Mike Gentile

CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles