Having a true advanced penetration test performed on your organization’s infrastructure is one of the fastest ways to gain valuable insight on the state of your security posture. It provides quick situational awareness around where your weaknesses are and *should* provide you with a roadmap on how to approach remediation.
In working with clients, one thing we are realizing is that many of our clients believe they have been getting an "advanced penetration test" for years, when in fact they have not. Below are a few hints on how to know if you are truly getting a penetration test worth value to your organization.
Hint #1: The recommendations from your penetration test report should not include purchasing hardware that the penetration tester sells. Organizations that make the decision and investment to have an advance penetration test conducted are serious about cybersecurity, and should take full advantage of having a team of experts available to gain valuable knowledge and insight from before, during and after the test is conducted.
It’s highly likely that your organization has already made significant investments in security technology. Make sure that you are leveraging current investments before considering a recommendation for a new shiny security appliance.
Hint #2: The bulk of the final report should be comprised of a narrative of how the penetration testers moved through your network pointing out in detail how vulnerabilities were identified and exploited. If you are given a final report that consists of hundreds of pages listing patch based vulnerabilities derived from automated scans, something is wrong.
Your team knows if your systems are being patched or not. If you are unsure about where you are with unpatched systems, there are scanners available that are virtually effortless to employ. These tools are the same tools used by some security firms to provide you with a vulnerability scan and gives you the same information that you may be paying someone thousands of dollars to conduct for you. Having an internal vulnerability scan routine in place is a good continuous process that engages IT teams and the results are measurable. By addressing the vulnerabilities identified in the scans your team can ensure that your environment is protected from many publicly known vulnerabilities. Be warned, this process takes time. The output from these scans can be overwhelming and riddled with false positives.
Hint #3: If you aren't smarter after reading your penetration test report, something is wrong. Your report should provide you with valuable knowledge about your network that you did not know when you started the process. It should also provide recommendations which you can take action upon to make your organization more secure. If your final report is lacking these critical puzzle pieces of information, you should take a step back and re-evaluate the process which is being followed.