Avoiding a Pen Testing Mishap: What Are You Really Paying For?

by Sarah Harvey / October 4th, 2019

Last month, the Iowa Judicial Branch made an investment in their security efforts by partnering with an information security firm to perform penetration testing on their organization. But…it appears they signed up for more than they bargained for. Why? The two ethical hackers working the job were arrested after they successfully gained unauthorized access to a Dallas County courthouse. What went wrong? Why were these ethical hackers arrested? Could this mishap have been prevented? Let’s discuss.

Why Scoping a Penetration Test Matters

When organizations partner with ethical hackers to perform penetration testing, defining the scope of the engagement is absolutely critical. When an organization is paying someone to gain access to their sensitive assets, if what will happen is not explicit and clearly defined, chaos could ensue like it did in Iowa. Before a penetration test begins, both the organization investing in the security testing as well as the firm providing the service should work together to clearly and accurately define the scope of the engagement – being sure to define the areas that ethical hackers are allowed to test, permitted to attempt to access, and how they are expected to do so.

How Far Will Ethical Hackers Really Go?

Penetration tests are not meant to be easy, high-level engagements. When you partner with the right firm, you’ll receive a quality, thorough penetration test – one that simulates real-world attacks, finds vulnerabilities in places you wouldn’t expect, and results in remediation tactics to better secure your company. This means that before engaging in any type of security testing, you must understand how far ethical hackers will really go and determine if that aligns with your intentions and business objectives.

Are you looking to meet a legal or framework requirement? Did a client or prospect ask that your company undergo security testing? Do you want to be preventative and find vulnerabilities before a malicious individual does? Or, are you just looking to check an item off a list? If you fall under the latter category, you probably don’t consider how far ethical hackers will go to help you improve the security of your organization. If your intentions are to make your company more secure, then knowing that the penetration testers you’ve hired won’t stop until they’ve exhausted their resources is essential. What does this look like?

Are you prepared for ethical hackers to use tools like Nessus, Metasploit Framework, HP WebInspect, Wireshark, Kismet, Maltego, Shodan, Burp Suite, SET, BeEF, and Microsoft Baseline Security Analyzer, in addition to freeware tools in their security testing?
Could your employees withstand social engineering attempts like phishing, tailgating, and general manipulation?
Ethical hackers work at all hours to find the perfect attack window. If your organization is on alert, monitoring the traffic during business hours, what could happen after hours? What happens when an ethical hacker works from 6:00 PM to 6:00 AM?
What policies and procedures that, when violated, could lead to access to an unauthorized area?
Physical security is a major part of ethical hacking. Lock picking, badge cloning, finding network jacks in public areas – it’s all within the skill sets of good ethical hackers.
What vulnerabilities would wardriving find?

If you want to get the most out of your penetration testing investment, you would want an ethical hacker who would go above and beyond in their testing methods, constantly thinking of innovative ways an outsider could attack your networks, devices, code, or physical locations.

Communicating Before, During, and After Penetration Testing Engagements

Communication is key during security testing – you’ve paid for a service that could impact your sensitive assets. When engaging a firm to conduct security testing, there must be clear communication between all parties. In the case of the Iowa Judicial Branch, there was confusion between the client, the ethical hackers, state authorities, and local authorities, resulting in the arrests of the two ethical hackers despite having documentation that they were authorized to be there. By having a clearly defined scope and a better understanding of just how far ethical hackers will go, breakdowns in communication will be far less likely and the penetration testing engagement will be more fruitful.

At KirkpatrickPrice, we are committed to delivering quality, thorough penetration testing services – services that include a clearly defined a scope and ethical hackers who can communicate exactly what they’ll be doing to help secure your business. If you’re thinking about making the investment in security testing, make sure you avoid a penetration testing mishap by knowing exactly what you’re paying for. Contact us today to speak to an Information Security Specialist.