Any robust cybersecurity strategy includes regular penetration tests. Pen tests are vital to revealing where your actual vulnerabilities and weaknesses are within your security ecosystem. A pen test is white hat hacking, so you know where the problems are before the bad guys do. The end of the pen test is a new beginning. Once you finish one, the question is now what? Post-pen test, there are many steps to take to ensure it delivers the value, insights, and intelligence it should.
First, here’s a refresher on pen tests.
Pen Test Basics
Pen testers use the same tools and techniques as cybercriminals to create real-world scenarios. There are three levels of pen testing. First is black box pen testing. In this situation, penetrators know nothing about your system and are looking for anything to exploit.
The second option is gray box penetration testing, and those doing the hacking have some information about your system and may have credentials. In this approach, users often develop some use cases for the attack.
The third type is white box penetration testing, and these testers get access to systems and artifacts. They may also be able to enter your servers.
No matter the type or the methods used, pen testing is supposed to deliver the essential information that helps you protect your data, infrastructure, and network. Pen tests can look inside every part of your digital footprint to provide a 360-degree view of your cybersecurity blind spots.
You can read more about conducting pen tests, benefits, types, and more in our article What Is Penetration Testing, and Why It’s an Essential Part of Cybersecurity.
At the conclusion of the pen test, you’ll receive reports, analysis, and remediation plans. What can you do with this? What should you do?
Post Pen Test: 6 Steps to Take
Now that you know what you didn’t know about your digital ecosystem, it’s time to make the most of what you’ve learned. Taking these steps could include further work with your pen test provider as well as internal changes to make.
Step One: Clean Up the Environment
At the end of a pen test, you will need to deactivate or remove any accounts created for this purpose. Additionally, if any firewall rules or other system changes occurred before the test, you’ll need to revert these back to their former state. Your penetration testing provider should provide a list of any of these things.
If the action involved any test data, such as a populated table with a database for the function of web application testing, you should remove this test data. Do so before the application leaves the development stage and enters production.
This clean-up may also be part of your agreement with the testers. They may take the lead on removing files or software installed for the test. After the initial clean-up, you should do a final check of your network to see if anything was missed.
Now that the environment is back to its original state, it’s time to find out the results of the pen test.
Step Two: Review the Results
Once you have your detailed report, you’ll want to read it thoroughly. Hopefully, the pen test company you’ve chosen delivers results that are easy to understand. Yes, there will be technical information in here, but you shouldn’t need a Ph.D. to decipher it.
So, what does a report look like?
Pen Test Report Inclusions
Most reports have this format:
- Executive summary: This opening provides you with a description of identified risks and the potential impact on your company. This section will include technical information delivered in a way you can understand.
- Technical details: This part will discuss vulnerabilities and their category (e.g., injection, web applications, etc.). It will also indicate the priority level of low, moderate, high, or critical.
- Potential impact and risk level: This segment will provide context around the likelihood of risks your company is facing in cybersecurity. It will also include the impact of these vulnerabilities.
- Solutions: This piece is a roadmap for remediation of all the issues found.
- Methodologies: Testing can include a variety of procedures, and you’ll have a listing of all those, whether automated or manual.
When looking over the entire report, the most critical ones to focus on include the following:
- Remediation plans to close any significant or critical security gaps.
- Suggestions for improving your overall cybersecurity posture.
- Audit information about any compliance regulations you should be adhering to.
- Benchmarks and baselines; if it’s your first pen test, it becomes your security baseline to improve upon in the future. If it’s not your first, then you’ll want to look back to those to see how you improved or what areas are still in need of review.
You’re looking to the report for the major insights about how effective your security solutions are performing. You should also look for anything that the testers didn’t assess. Depending on the type of pen test and the parameters, those conducting it may not test every endpoint or area of your network.
Another consideration for reviewing activity is to look at device and application logs. They tell the story of tactics used and have a rich volume of information. They are dense but worth evaluation, as these insights will help you continue to refine your security posture.
After you’ve gone through the report, you’ll likely have questions.
Step Three: Ask the Pen Testers
Even the most comprehensive report will elicit questions. As you go through your report, mark the areas where you’d like more context or information. Collect all of these into one document, and set up a time to review with your penetration testing provider.
Some questions you may want to ask may be:
- Did the final pen testing methodologies match the ones described in the process pre-test? Pen tests may not always follow the plan. With so many factors impacting the scope, it’s possible the testing team zeroed in on major problems they found, which may not have been part of the original agreement.
- How will you continue to protect the testing results data? In most cases, you and the provider have already discussed confidentiality and data protection. It’s never a bad idea to check on this post-test.
- How can you help with remediation? If not predetermined, you can ask if they can support remediation plans. Things discovered during the test may be complex or critical and need immediate attention. Working with your testers can accelerate these tasks.
During these conversations, the focus will be on remediation. To ensure you give the right energy to the fixes needed, you’ll want to prioritize them.
Step Four: Prioritize and Launch Remediation Efforts
Your report documented the level of risk for each issue found. Ideally, you’ll start with the most critical. However, it’s not as easy as just putting a number beside each vulnerability. Those at the highest level may involve a specific resolution strategy, which could take time. You don’t want to put these on the back burner, but also consider taking care of the things that are quick fixes. Those in this category only need minor changes and don’t require much effort or cost to address.
You can work on remediations in tandem. Assigning these out can include internal and external resources. Your tester can help you rank the areas, as they’ve already supplied a roadmap for this in the report.
As you go through all the vulnerabilities and remedy them, be sure to continue to record all this activity. It will be helpful when you decide to retest.
Step Five: Move Forward with Continuous Improvement
One of the reasons you deployed a pen test was to improve your security ecosystem. After the test, you’ll commit to continuous improvement. The threat landscape is constantly evolving and growing. Out of the test, you should implement new policies or processes to keep your company more secure. You’ll also need to consider how our environment exists now and all the endpoints included.
Most organizations don’t have staff all on-site, nor do they have on-premises systems. Decentralized working conditions enlarge your environment. What best practices you define should be unique to your business, and your pen testers can continue to assist with striving toward greater resilience.
Step Six: Plan Your Retest
Pen testing should occur regularly. There are a few ways to manage this. You could retest as soon as all remediation is complete. If you do this, you’ll have more intelligence on if you’ve plugged all the holes.
If that’s not feasible, you may put pen testing on a quarterly or annual basis. You’ll be able to use your benchmarks to track progress. Other times you may want to conduct a test is when you complete any major IT project, such as migrating, adding new applications, improving infrastructure, or adding new cybersecurity tools. A pen test at this juncture is like due diligence to ensure implementation and configuration are correct.
Have more questions about pen testing? Want to learn more about how we provide pen testing? Contact us today to get started.