Sponsored by Specops Software
A penetration test, or pen test as it is sometimes called, involves performing a series of tests to determine whether an organization’s IT resources are vulnerable to attack. While a skilled IT security team can perform a penetration test, such tests are usually outsourced to a consulting firm that specializes in penetration testing.
It’s exceedingly rare for an organization to score perfect marks on a penetration test. If the penetration testers fail to find anything, it either means that the organization has been hyper vigilant with their cyber security, or that the team conducting the test lacks the skills to perform truly in-depth testing.
In the vast majority of cases, a penetration test will reveal vulnerabilities. In some cases there may only be a few vulnerabilities found, but in other cases the test team may produce a long list of vulnerabilities. So what should an organization do if it receives a negative penetration test? For starters, the organization’s IT staff should have a long and frank discussion with the test team.
There are two main things that this discussion needs to achieve.
First, the organization’s IT staff needs to understand the vulnerabilities that have been reported. This means getting the test team to explain what a particular vulnerability entails, why it matters, and what the test team recommends doing to address the vulnerability. The organization’s IT staff should take copious notes during this discussion to document the technical details and recommendations.
The second thing that an organization needs to do during its meeting with the penetration test team is to validate the test results. Ideally, the testing team should be able to show you how they discovered the vulnerability, or at least give you a list of steps that you can follow to confirm that the vulnerability exists. This isn’t to say that the penetration testing team is not trustworthy. It’s just that before you invest resources into addressing a vulnerability, it’s a good idea to make sure that you are able to test for the vulnerability. Otherwise, you won’t be able to tell whether your solution was effective.
Once an organization has had a preliminary meeting with the penetration testing team and has independently verified the vulnerabilities that were listed in the team’s report, then the next step in the process is to develop a remediation plan.
One of the first steps in coming up with a remediation plan is to prioritize the vulnerabilities. Some of the vulnerabilities that have been discovered by the testing team are likely to be relatively minor while others may be critical. Critical vulnerabilities are those that allow for remote code execution, can expose data, or can be used to compromise a user account. Such vulnerabilities should be addressed before any of the less significant vulnerabilities.
Remember that although the test team makes good faith recommendations for addressing problems, those solutions may not necessarily be appropriate for your organization. Therefore, it is important to do some testing and to carefully consider the impact of proposed solutions, rather than blindly implementing the tester’s recommendations. For example, a penetration test team might recommend installing a particular security patch, but that patch might cause problems with some of your applications. That is why testing is so important.
Another important consideration is that the test team’s recommendations can often be improved by adopting third party software.
Suppose for example, that a penetration test reveals that an organization’s Active Directory password policy is inadequate. In such a situation, an organization could easily create or edit a few group policy settings to bring its password policy into alignment with the test team’s recommendations. Even so, those recommendations are probably going to fall within the limitations of native group policy settings. Group policy can for example, impose a minimum password length and change frequency, but it has no way of checking to see if a particular password is known to have been compromised. As such, an organization that needs to remediate its password policy probably isn’t going to see “test for compromised passwords” listed among the testing team’s recommendations. Obviously, testing for compromised passwords is a good idea, but it’s something that falls outside of the Active Directory’s native capabilities, so the testing team might not recommend it.
Third party software can help an organization to not only address the vulnerabilities that are listed on a penetration test report, it can help an organization to enhance its security well beyond the minimum level of remediation that the testing team is recommending.
Specops Password Policy for example, can help an organization to determine whether any of its user’s passwords have been compromised. It does this by comparing those passwords against a database of billions of passwords that are known to have been leaked. Additionally, Specops Password Policy can help to create password rules that go beyond the rules that can be defined using native group policy settings. While group policy can be used to enforce password complexity requirements, Specops Password Policy can be used to block specific words, consecutive characters, incremental passwords, or passwords that contain part of a previous password. Additionally, users receive real time feedback whenever they change their password, thereby reducing both frustration and help desk calls.