When you’re committing time, effort, and money into a project, you want to make sure you’re getting the best possible results. Information security testing is no different. So, before you embark on testing, how do you ensure you’re getting the best from your test?
1. Provide as much information as possible
Information security testing is limited by two main factors: scope and time. As testers, we can only investigate what is within the scope and only have a limited timeframe available in which to test.
Attackers don’t have these constraints. If they were hell-bent on gaining access to your organization then all routes would be open to them and there would be no time limits either. They could spend months, if not years, gathering information, looking for vulnerabilities, slowly working their way towards their goal. In this case, attackers have the upper hand.
To reduce this advantage, it’s vital we achieve as much as possible within the testing time we have available and to do this, we often ask for additional information. This is typically sought when conducting grey box testing and we will often ask for access to source code, user credentials of various levels, for our testing IP to be whitelisted or a combination of all three where possible.
In the past, there seemed to be a reluctance to provide such information, with many thinking ‘you’re the experts, surely you don’t need this information/access?’. That’s true, we don’t need the information and can perform such tests when required, but having information available means we can move faster and test more thoroughly, providing clients with the best value test in terms of time, cost and results.
2. Be open to different approaches
When clients approach us, they usually know which service they require, and most of the time they are completely right. However, in some cases, what clients think they need isn’t always the most beneficial approach.
Test providers should be working with clients to fully understand the rationale for the test, the goals the client wants to achieve, and the budgets/timeframes involved. From this position, they should be able to confirm if the testing requested is the right approach or a slightly different approach may be better suited.
For example, a client recently approached us about conducting a black box test on an application, essentially a test where we have no information on the application and attempt to find ways in. The rational; if you can’t breach the login form then attackers can’t hack the application. However, hacking the login form isn’t the only danger to an application, someone could set themselves up as legitimate user and use this as the starting point of their attack, an attacker may use stolen creds and gain access that way. These are plenty of ways a malicious threat could bypass the login form.
With that in mind, we advised that a grey box test would be far more beneficial, not only assessing the ways an attacker could get into the application but also investigating what they could achieve if they did manage to gain some form of access.
3. Ensure you’re getting the right level of testing for you/your project
Information security testing comes in a variety of different forms, from automated vulnerability scanning through to manual penetration testing and complex adversary simulations. Each approach has its positives and its negatives, and the choice of test will often be dictated by the goals set, the test environment, the organization’s security maturity and the budget available.
However, the line between these services can often be blurred, a pen test can bolt on some elements of a red team and a vulnerability scan can include some elements of a pen test. In that case, it can be easy for an organization to think they are getting (or be sold) a certain service, when in fact, it’s a different service altogether.
The classic example we see, and one we see quite often, is companies believing they are being quoted for a pen test, when in fact it’s just a vulnerability scan with a few ‘light touch’ elements of a pen test added on. That’s not to say vulnerability scans are inferior, they certainly aren’t, but when you’re being sold a pen test, that’s exactly what you should be getting.
This situation usually raises its head in the quote stage of the process, with clients flagging that they have received a much lower quote for the same work. Our response? Double check exactly what you are getting from your quotes. Are you getting a manual investigation of the targets or just an automated scan with a report at the end? Is the provider going to provide remediation advice/support after the report has been delivered or does their job finish on delivery of report?
If you are getting everything you need/want from the lower quote and feel it’s the right level of testing for you, then certainly go for it, but always make sure you know what you’re getting and ensure it meets your testing needs/expectations before committing.
4. The report isn’t the end of the process
A successful security test isn’t defined by the number of vulnerabilities found, or by the severity of those vulnerabilities. True success comes when the issues uncovered have been successfully fixed/mitigated, so they are no longer issues at all.
It’s for this reason, we don’t consider delivery of a test report as the end of the testing process, only the half–way point, and testing providers should continue working with clients after the report to ensure effective remediation efforts have been made.
When it comes to the report, it’s important to remember that issues happen. In 20 years of testing, it’s extremely rare to have a test report identify no issues at all. People make mistakes, errors can be made, things can get overlooked.
Having a report uncover issues can be concerning, especially when evidence of testing is required by stakeholders. When this is the case clients may often ask for issues to be removed (if they’ve been fixed during the test) or downgraded in risk, believing this will portray a better picture. However, this sets a dangerous precedent and is something we do not do.
Of course, nobody wants to have errors/vulnerabilities highlighted, but any issue found should be seen as a positive, it always better to find an issue during a test than learn about it after a breach. The recording of any issue is always important and should be written up, helping to avoid it being reintroduced at a later date.
In terms of providing evidence to stakeholders, remember, the report isn’t the end of the process. We’ve identified the issues, reported them to you and now we’ll support you in fixing them. Supplying you with further evidence at the end of remediation process to show fixes have been successfully made.
5. From fixes to security policies and procedures
Fixing the issues uncovered during a test is always going to be the main priority, but issues can often run deeper than just the environment under investigation. Who is to say the same issue isn’t present across other areas of your organization?
Testing is your opportunity to identify potentially systemic problem areas and introduce/strengthen security policies and procedures to help mitigate them.
For example, a test may flag an unpatched system within the environment under review, but the system may also be in use across multiple areas of the organization. To prevent similar issues occurring in the future, companies would benefit from reviewing their patching procedures.
6. Value beyond the test
Information security can be confusing and it’s often difficult to know whether you’re doing the right thing, or whether the approach you’re taking is truly effective.
It helps to get expert advice in this situation, but who do you turn to for this advice if you don’t have the expertize in house? Why not engage with your test provider? They already have knowledge of your company and can provide quick expert advice, often without cost (depending on the depth of the answer you require of course).
As a company, we always encourage our clients to contact us when they have information security questions/problems, whether they want to confirm the latest guidelines on VPN security or just want someone to provide advice on a potential security solution.
As we always say, we’re here to be trusted advisers to our clients, not just test providers. So, make use of the expertize.