3 Hacks to Get the Most Out of Your Penetration Test

by Sarah Harvey / March 19th, 2019

Investing in regular penetration testing is oftentimes a hard pill to swallow. You’re paying someone to break into your networks, systems, or applications. You might find that your secure technology isn’t as secure as you thought. Your ever-changing, complex environment might create more vulnerabilities than expected. Plus, you might not even be sure what you need or who should perform the testing. Though undergoing penetration testing may seem daunting, there’s one thing that we know for certain: penetration testing is vital for protecting your assets. Let’s talk about some issues with penetration testing, like how movie and television have changed our perception of hacking, how scoping impacts your assessment, and how a penetration tester could hold you back from receiving a thorough assessment.

1. Hollywood Hacking Myths

The entertainment industry has given the world a very unrealistic view of how hacks happen. Whether it’s in a James Bond movie or a ransomware attack in Grey’s Anatomy, Hollywood’s depiction of hacking isn’t an accurate representation of anything you’d really see. Even if the scene uses correct terms or buzzwords, the 3D interfaces, multiple pop-ups and screens, and fast typing diminishes any realistic elements.

“Hollywood hacking” has given people the idea that a malicious attack happens quickly and is easily-stopped. In reality, if a person, company, or asset is being targeted, the attacker is going to try everything in their power to break in. They have time on their side, so they are going to continue to attack until they are successful. It could take weeks or months, but once they are successful, they can compromise your data and your reputation.

Because we know that malicious attackers are going to go above and beyond to get what they want, so do our penetration testers. Through ethical, permission-based hacking, we try to find any vulnerability that could be exploited. We often take a more unconventional approach than you might find in other firms, all with the goal of providing the most thorough assessment possible. We think outside of the box. When we hit a wall, we try to find a way around it, through it, over it, or under it. Where others might throw in the towel, we continue to brainstorm to find a way past the barrier.

2. Proper Scoping

While it’s true that no security service can 100% guarantee that all vulnerabilities have been found, it’s crucial that a thorough, quality-based penetration test be performed. This is always dependent upon proper scoping. If you’re testing your network, how many active hosts are there? How many devices are in the network? Does your mobile application include APIs or web applications? Do those need to be tested separately? When going through the scoping process with a security firm, they’re going to ask lots of questions, but the goal is to give you the most accurate, thorough penetration test as possible. After all, security audits are a financial investment, why pay for something if it isn’t comprehensive?

3. Proper Penetration Tester

Oftentimes, penetration testers can become frustrated when they encounter barriers, so they give it a few tries and then move on. This is common when testing APIs, web applications, and mobile applications. So many professionals within the security field lack the knowledge and experience to assess these environments properly. They give up and run a vulnerability scan, which will find the low-hanging fruit, leaving the harder to reach bugs active in the environment. It’s usually these types of vulnerabilities that are exploited, causing serious damage to a company’s reputation and financial stability. The organization thinks, “But I had a penetration test done! I should have been safe!” In reality, the penetration test delivered to them was merely a vulnerability scan with a few glances from so-called security experts.

Quality penetration testing needs to be performed by a skilled professional or group of professionals who can analyze the results of security testing activities and use those results to inform future activities. They also need to have the drive to dig deep. Discontent with the base assessment, our penetration testers dig deep into the networks, systems, and applications, looking for those vulnerabilities that might cause you to lose sleep at night. Our goal is to excavate those issues that would otherwise lay dormant until someone seeks to exploit them.

Quality Over Quantity

Penetration Testing - Quality Over QuantityWhen I’m asked what the difference is between penetration tests from KirkpatrickPrice and other security firms, my first answer is the focus on quality. Quality is the key aspect of providing a solid penetration test. This is becoming a rare find as more and more security firms become focused on quantity over quality.

In a day and age when security controls must be strong and effective against advanced threats, we’ve made it our mission to deliver quality penetration tests. When looking for your next penetration test, consider KirkpatrickPrice’s quality-based approach instead of the typical “scan, report, repeat” assessments.

More Penetration Testing Resources

Not All Penetration Tests Are Created Equal

How Can Penetration Testing Protect Your Assets?

Components of a Quality Penetration Test

Auditor Insights: Vulnerability Assessments vs. Penetration Testing