In today’s world, it’s not a matter of if your systems will be breach, but when. One of the most valuable proactive security measures you can take to protect your organization is to test your security systems and infrastructure. After deciding to conduct a penetration test and choosing the best penetration testing company, one of the most important decisions to make is whether or not to whitelist during the assessment.
What is whitelisting?
NIST defines a ‘whitelist’ as “A list of discrete entities, such as hosts, email addresses, network port numbers, runtime processes, or applications that are authorized to be present or active on a system according to a well-defined baseline.”
In short, a whitelist is a list of trusted things. In the case of a penetration test and specifically security whitelisting, it is used to define a list of things that are trusted and/or can bypass all security rules. For example, whitelisting an external IP address on a firewall would allow it to bypass any rules in place to block traffic, in turn allowing traffic coming from the IP address through it.
Should you whitelist during a security assessment?
During the scoping process of a penetration test, whitelisting inevitably comes up. Generally, most clients decide to whitelist us for the duration of the test/s. Now you may think, “Why would I want to whitelist during a test? Isn’t it counterintuitive to bypass the security mechanisms, making it easier for testers to access, attack and compromise your system?” These are valid questions. After all, you have that firewall there for a reason, right? Wouldn’t whitelisting also make the attack unrealistic? While penetration testing is built to emulate the kinds of attacks that happen in the real world, there are several reasons why it makes sense to whitelist during a security assessment.
Why whitelist?
The primary reason that penetration testing companies usually recommend whitelisting during engagements is to test the network and applications directly rather than essentially testing the security mechanisms themselves. This is generally because we want to maximize our time during an engagement.
For example, a tester may spend 40 hours testing during an average one week test and not get past your firewall due to time and resource restraints. Alternatively, we could assume that the firewall and any security mechanisms that primarily delay attackers have been bypassed or compromised and that time can be spent testing your external or internal infrastructure and applications directly.
Testers have a limited amount of time while the malicious actors they are emulating have much more freedom and potentially more resources. A tester may have a week to test your external network, but a malicious actor has all the time in the world. Assuming a malicious actor will eventually bypass your firewall or spend enough time working around your other security mechanisms will allow you to assess and secure the infrastructure or applications that sit behind them. Without whitelisting, the penetration test becomes a test of the pen testers’ abilities, and not your environment’s security.
Why not whitelist?
One of the primary reasons why an organization wouldn’t whitelist during an engagement comes down to a point we made previously — testing without a whitelist provides a more accurate representation of the security at the moment and duration of testing. This means that if a tester was not able to penetrate or bypass your first line of defense in a certain amount of time, then it is likely that a malicious actor with the same time and resources wouldn’t be able to either.
Can you do both?
Yes, you can do both! Many testing teams would be happy to test the security of your network prior to whitelisting to ensure there are no gaps in your first line of defense and then move on to test your infrastructure or applications directly with whitelisting.
To whitelist or not to whitelist
Whether or not you whitelist for a test really comes down to your goals for the assessment.
Do you have a tight budget and time constraints? If so, then it may be worth keeping your goals and targets focused. You can spend a short amount of time to ensure your first line is configured appropriately and then spend the majority of your engagement getting more value from direct testing of your infrastructure and applications.
Do you wish to assess the security of your environment and ensure that your firewalls and security mechanisms are configured and are working correctly? Do you wish to see if a pen tester could bypass these firewalls within the duration of the test? If so, then whitelisting may not be the right choice for you.
Gain insight to your security with penetration testing
Foresite Cybersecurity offers in-depth penetration testing whether or not you choose to whitelist. Our experienced pen testers help you understand your security posture and identify gaps in your cybersecurity allowing you to create a strong defense against cyber threats and data breaches. Contact us today for more information on our whitelist penetration testing and all our cybersecurity assessment solutions!
