Many organizations perform annual penetration tests to see if their networks are secure. Often when our consulting team is reviewing these reports for clients, we find that the clients really wasted money because what was found in the penetration report should have already been known based on best practices, or discovered through vulnerability scans.
A penetration test is based on path of least resistance, therefore once the tester finds a way in, they stop trying to find other weaknesses. They may exploit things and gather other types of data, but they have already penetrated the network. If they used a known vulnerability and quickly got in, that doesn’t tell the client what other holes may be lurking.
Here is a true example. During a penetration test, a tester gains entry to a network via a malicious email. The user he compromises is a standard user on the network, and through scanning of standard network shares he finds one that is shared out to the whole network. Inside that share he finds a folder called ‘IT’, and in a subfolder there is a spreadsheet called ‘passwords.xls’. Upon opening the spreadsheet, he finds domain administrator and other critical infrastructure accounts. He tests the credentials and they are all good. He now owns the network, but other than crafting a good phishing email what did he do? Not much, because the customer made it easy on him.
Penetration testing should require a technical challenge, so before you pay for a pen test ask yourself these questions:
- Have I performed an exercise to test that all my folders are locked down?
- Have I remediated any critical and high vulnerabilities both internal and external and web applications?
- Have I restricted broadcast protocols?
- Have I implemented security awareness for staff?
- Have I segregated my network internally?
- Have I changed all my default password (including multi-function printers and SNMP strings)?
- Have I made sure my service accounts have the minimum rights for the service they perform?
If you perform your own best practice testing prior to hiring a firm for penetration testing, you will get what you really need out of a penetration test. A true view of your blind spots and misses rather than a simple non-technical compromise.