PATHWAY TO A PERFECT PENETRATION TEST

What is a pentest?

If you’re working to improve the cybersecurity processes and systems of your organization, one of the first steps is to conduct a penetration test. A pentest is a security exercise where an expert will work to find vulnerabilities in your computer system. This is a simulated attack to spot weak areas in your systems and processes that a hacker could exploit.

What are the phases of a pentest?:

1. Assess: Figuring out what should be penetration tested, how it should be tested, and then doing the actual testing.

2. Report: Structuring, organizing, and prioritizing the findings.

3. Remediate: Addressing findings, making changes and updates, and improving your overall security posture.

What are the steps of a pentest?

If you’re having a penetration test performed, it’s vital to understand exactly what steps should be taking place and how to best prepare your computer systems. The 9 steps of penetration testing include:

1. Scope: Determine what networks, applications, databases, accounts, people, physical security controls, and other assets are “fair game” for the penetration tester(s) to attack.

2. Rules of Engagement: Establish the manner in which the penetration test is to be conducted, managed, and communicated. Ensure everybody knows exactly how to communicate and what dictates project success.

3. Test: Conduct the actual testing to uncover vulnerabilities

4. Document Findings:Gather and organize all findings from your testing scope.

5. Prioritize & Rank Findings: Prioritize findings that pose the most risk to the least risk.

6. Document Potential Solutions: Include known remediation solutions for vulnerabilities.

7. Remediate: Fix any findings and/or find corporate exceptions for particular findings.

8. Retest: Test your fixes to determine if the vulnerability still exists.

9. Update Documentation: Create a separate section in your report that addresses all remediation measures.

If you want a mature penetration testing process and meet compliance requirements, you need a clear path.

First, determine the breadth and depth of what needs to be done and then conduct the actual pentest. Next, document your findings based on risk rankings and prioritization. Then, review the findings and fix what can be fixed, retest, and update your report with exceptions and/or remediated findings.

Simple, right? But, simple doesn’t mean easy.

Penetration Testing isn’t a closed loop with a determined finish line. Penetration testing is something to be done continually and consistently across all potential attack vectors. Attackers have unlimited time and need only exploit one vulnerability to undo months or years of work. And it takes a lot of work to make sure we can sleep at night knowing we are doing everything we can (within our given resource constraints) to provide our organizations with the most effective and efficient security possible.

THE EMAGINED™ PENTEST CLEAR PATH

The Emagined™ Pentest Clear Path is a three-phase, nine-step process to encourage a different way of approaching penetration testing. Many executives, managers, and security professionals know that penetration testing should be done or that it’s required by regulatory or statutory guidelines.The hope is that somehow they can do a few inexpensive tool-based scans, check all the compliance/requirement boxes, and then feel at peace about their security exposure. But how can we measure whether or not all of those checked boxes equate to meaningful findings and minimized security exposure?

Instead, we encourage those responsible for penetration testing to ask:

• “Is my penetration testing program effective?” and

• “Do my pentest efforts meet the risk requirements of the organization?”

This is where Emagined™ diverges from so many other security companies when evaluating how to mature all aspects of an organization’s security program. We promote a holistic approach to penetration testing and security. This is an important concept because a holistic approach, as opposed to implementing one-off countermeasures, addresses business requirements, regulatory requirements, statutory requirements, and vendor requirements to ensure not just compliance but also effective security.

If you want a mature penetration testing process and meet compliance requirements, you need a clear path.