What to do to prepare for a penetration test

Posted on 2021-03-31 by Matt Strahan in Business Security

You’re spending a lot of money on getting your systems tested, with expensive consultants spending days, weeks, or even months making sure your systems are secure. You want to get the most for your money, right? You can make the test more effective just by properly preparing.

In general, the more you put into something the more you’ll get out. Penetration testing is no exception. With five steps you can properly prepare for testing, make the test run smoother, and get a better result.

1. Improve the security of your systems as much as you can before the test

When I was a young kid, before going to the dentist I had this idea that I shouldn’t brush my teeth straight beforehand. I’d just go to the dentist like I was, even if it was late in the afternoon and my teeth were probably terrible. For me brushing my teeth was the equivalent of lying. I wouldn’t normally clean my teeth in the afternoon and if I arrived with clean teeth my dentist would know I was trying to get one by him and pretend I was better than I actually was.

It didn’t occur to me that maybe the dentist would prefer looking at a clean mouth than a dirty one and that the dentist doesn’t really care about whether or not I brush my teeth in the afternoon, they just want to see if the teeth below are healthy.

In a way that’s similar to penetration testing. I’ve come across organisations where the IT admins say “oh we didn’t want to patch before the penetration test because we wouldn’t normally patch at that time.” No, go ahead and patch.

We don’t want to tell you what you already know and getting a report full of vulnerabilities that you already know about doesn’t really help anyone.

You might want to also run vulnerability assessment tools or “automated penetration testing” tools before getting your penetration test. Ideally the vulnerabilities that those tools could find would already be fixed before we come in so that we could concentrate on the harder to find security issues and the issues that affect the logic and workflow of the system.

In the end as penetration testers we only have so much time. Instead of spending time on the known security issues, it’s better that we spend time trying to find the creative security issues you might not have thought of.

2. Let’s just back up for a moment

As much as we put in safeguards to prevent any loss of availability during tests, penetration testing is inherently a bit risky. We’re trying to hack into things, use features and functionality in ways that they might not be meant to, and that can have some side effects. Especially when we use some automated tools such as vulnerability assessment, scanning, or brute forcing, there can even be outages just because those few requests per second can be enough to bring down particularly fragile systems (even though let’s be honest a system being that fragile is really a security issue as well).

I know, we’re all perfect at backing up , but before a pentest is a good time to just be extra perfect and make sure that you’re doing it.

Part of protecting yourself here is having good communication. If there are systems that cannot go down or if there are systems that can only have a really small throughput, including systems that might be on your network through a virtual private network over a dodgy microwave link, let your tester know. The testers will be able to adapt and exclude those systems from automated scanning and find other ways of verifying the security.

3. Plan access for the tester

This one seems obvious. If a tester can’t access something they can’t test it. The devil here is in the detail though.

Let’s say you have an isolated network, or a management network, or admin portals, or an IP allow listed system. If the tester can’t access them then they won’t be thoroughly tested.

To prepare for a penetration test you potentially need to arrange access to the things that need tested. This could be providing user accounts, creating holes in firewalls and IP allow lists (time limited for the testing window of course), or even physically moving to and connecting to another network. All of this needs to be planned and allowed for before testing.

Meanwhile if the tester is onsite then physical access needs to be arranged. They need to have a desk, an ethernet port (wireless isn’t ideal), and a pass to get in and out. It’s also polite to let them know where’s good to get lunch!

4. Let people know what’s happening (especially third parties!)

In a penetration test you have a single objective: to find security issues. There’s no need to be quiet about it. We’ll use automated tools to help get the obvious vulns out of the way quickly and try a lot of different things that are bound to create alerts.

If defenders aren’t expecting those alerts that can cause issues. Incident response teams can be triggered and systems can be isolated and locked out creating real costs to the business.

This is why we always recommend telling people about the test and making sure they know what’s happening.

This goes for third parties as well. Hacking without permission is quite illegal and (as Coal Fire Security in the states will tell you) penetration testers aren’t fond of getting arrested. In those terms and conditions you sign off on before the test you’re saying you’ve gotten all the appropriate permission for the testing from any third parties you use.

If you’re looking to test your incident response capability it’s better to use more formal methods. As part of our additional services at Volkis we have pentest response and detection alert testing which are better at testing incident response than simply not telling people about a test!

5. Who’re they gonna call?

Finally there’s the communication with the tester. In general, the more information the penetration tester has the better the results will be. I’ll get to white box vs black box penetration testing another time, but the general gist is we’re not here to show off. If we’re spending any time finding out information that you already know it’s probably time better spent elsewhere.

This means you should prepare and provide the appropriate information and resources for the tester. I’m not just talking technical information here - the tester is great at security but might not be an expert in what you do. If you have a trading application you’re building, for instance, you can let the tester know the information that should and shouldn’t be seen and the tester could then aim to find this information hidden in the protocols used below the surface.

You should aim to provide the tester a technical contact and a business contact. The technical contact would be familiar with how the system fits together from a technical standpoint, with knowledge of the systems, software, and protocols that are used. The business contact would know what the users of the system would use it for including any business level risks that might not be immediately obvious.

A comms plan for who the penetration tester calls when there’s a serious issue should also be set up. Having a single phone number to call can really kick start remediation early.

Wrapping up

Here are the five things you should do before a penetration test:

  1. Improve the security of your systems as much as you can before the test.
  2. Back up sensitive systems and identify any potential areas of fragility.
  3. Plan access for the tester including user accounts, holes needed for firewalls, and physical access.
  4. Let people know that the test is happening and ensure you have everything signed off with third parties.
  5. Build communication channels for the tester and a comms plan for the test

For more information you can see our welcome pack in the Volkis handbook. This is a document we send to Volkis customers before each test. This gives more information about what to expect during the pentest and how you should prepare.

If you’re after penetration testing, give Volkis a shot, contact us, and we will get in touch to arrange your test.

Otherwise, good luck for your penetration test!

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by Glenn Carstens-Peters on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn