When hiring a team to perform a penetration test, every organization is hoping that nothing negative is found and that they receive a clean bill of health. In reality, pen test results vary from company to company depending on the maturity of the organization’s security.
While the majority of the pen test team’s job is done at the end of the exercise, the same isn’t true of the target. Whether findings are extensive or limited, the bulk of the work to be completed is done after the test.
The only way to “fail” a pen test is to ignore the results and take no action to remediate any discovered vulnerabilities.
A negative pen test, where the security analyst demonstrates that the organization’s cybersecurity defenses are inadequate, can be painful to the customer. However, the pen test team is really doing the organization a valuable service by identifying and reporting the vulnerability.
This gives the customer the opportunity to fix any identified problems and improve their security before a cybercriminal comes along and takes advantage of them.
The first step in dealing with a negative pen test is reading the report. Since the pen test itself is not a collaborative exercise, the process doesn’t allow the in-house security team to look over the testers’ shoulders during the attack. As a result, the internal team is likely unaware of how exactly the pen test team gained access to their systems and which vulnerabilities were discovered.
A good pen test report should provide information regarding the attack processes that the pen test team followed, what worked, and what didn’t.
“Avertium reports are comprised of two sections; the vulnerability assessment and the penetration test,” explains Jason Matlock, Avertium’s managing consultant for security assessments. “The pen testing section shows how we found the vulnerability: We list out step-by-step how we exploited the flaw so that when the customer gets the report, they should be able to follow exactly what we did in order to reproduce the problem.”
By reviewing this information, the internal security team can determine where they need to focus their remediation efforts and which parts of the organization’s security infrastructure operated as intended.
Once you review the report, it’s important to assign the correct internal resource according to the specific finding. Thinking through your team members’ areas of expertise and availability will save you time and frustration as you remediate. For instance, if the vulnerability identified relates to a web application your web developer should be assigned to tackle the task.
Tackling critical areas quickly with the right talent can very well save you from a debilitating attack.
Matlock advises in-house teams to question the report, making sure to verify findings before acting on them. For example, if the fix for a vulnerability is installing a patch, educate yourself on the implications across the enterprise.
“Using patching as an example, before blindly installing a patch across the network, the customer needs to understand what it is, what it’s doing, and what the impact is on the system,” says Matlock.
Having a proof of concept exploit for each discovered vulnerability is useful for a couple of different reasons. First, it can help the security team understand the actions that they need to take to fix the vulnerability. Second, it enables them to test the fix after it is applied and add this test to future vulnerability scanning (to ensure that a future update doesn’t reopen the vulnerability).
Not every vulnerability is created equal. A vulnerability is typically classified based on the impact if it is exploited (severity) and the likelihood of exploitation. The risk of vulnerability is the (sometimes weighted) product of these two values.
In most cases, all vulnerabilities can’t be fixed at once. An organization needs to focus on the most potentially damaging ones. Once the security team understands the pen test report and the discovered vulnerabilities, they can rank issues based upon their associated risk identified by the pen testing team.
“When we write the report, the findings are always listed in order of severity, beginning with critical and high,” says Matlock. “This tells the customer what they should look at first for remediation.”
By fixing the vulnerabilities with the highest risk first, the organization’s risk of attack is lowered rapidly.
Obviously, remediating critical and high-level issues comes before addressing medium- or low-severity items. However, vulnerabilities within each classification need to be prioritized as well. A good cybersecurity company will help you to understand the potential damage particular vulnerabilities represent and guide you through making a plan to remediate them.
Next, the security team should implement the solutions developed during the planning stage. After creating a fix, it should be tested to ensure that it doesn’t create any new vulnerabilities. After the application, the security team should add this test into regular organizational vulnerability scanning. This ensures that the vulnerability is patched correctly and remains patched through network changes.
Determine Risk Appetite
Fixing critical vulnerabilities is a “no brainer”. But a thorough pen test discovers all potential issues and not all of these can or need to be fixed.
Your penetration testing team can provide context and guidance, but what to do with low - or even medium-level issues is specific to the way you do business and is often a decision only you and your organization can make.
“Sometimes the customer may choose not to fix an issue, or they may not be able to fix it,” says Matlock. “If they are running legacy software or hardware, they may not be able to remediate. Ideally, the company should use current systems under maintenance. If for whatever reason this is unrealistic for the customer, that’s a business decision on their part.”
Matlock adds there are steps a company can take to minimize exposure if the vulnerability can’t be remediated, such as keeping the vulnerable system segmented on the network.
In addition to testing each fix, Avertium highly recommends a final retest to ensure the intended results were achieved and to verify remediation was successful.
Any negative pen test can be demoralizing, and a failed pen test intended to demonstrate compliance with a regulation or standard can be even worse. However, any pen test that finds a vulnerability benefits the organization by allowing it to improve its overall security posture. A negative pen test should be seen as a learning experience, not a failure.
Learn about Avertium’s vulnerability assessment and penetration testing services and reach out to start the conversation about identifying your company’s vulnerabilities.