What to Expect After a Penetration Test (Part 1 of 2)
So you have finally taken the plunge and had your first penetration test completed. Or maybe this is a yearly requirement, but for some reason you still aren’t getting the results you expected. Maybe you are running into hurdles securing your environment. For many, having a penetration test completed is an eye-opening experience that will help quantify the security risks in your environment. The reactions to testing results can vary wildly from client to client. Some will be losing sleep, so they perform fixes immediately without any set plan in place, which could accidentally introduce new vulnerabilities. Others will get distracted by the day-to-day demands of their security program, and these vulnerabilities will sit until the next yearly penetration test comes along. In this blog, we will look at what to do after a penetration test and what basic plan of action you should follow.
Read and Understand the Report
Before jumping into action, it is imperative that you fully understand the report. There may be some quick fixes that you know you can easily take care of, but doing so before understanding the whole report may cause you to take actions that you will have to undo later. Therefore, after a penetration test it is important you understand all of the vulnerabilities and how they fit together before you dive into remediation. At Triaxiom, we will give you the report ahead of time, but we stress the importance of jumping on a call (or meeting face-to-face) for a deliverable review. During this meeting, we will go over all of the vulnerabilities associated with each of the tested environments, and cover what the risk is to your overall security posture. Our recommendation is to review the report once before-hand to make sure you understand the basic contents, but then allow us to present talk through it and explain everything. Of course, during this review, ask questions to ensure you fully grasp each vulnerability and the recommended fix actions. Additionally, after our presentation, you are most likely going to want to review the report again. Your lead engineer will be available for questions a week later, a month later, or 6 months later. Triaxiom is founded on the value of partnering with our clients to improve their security, so don’t be afraid to ask follow-up questions, we are happy to help.
Develop an Initial Plan of Action
The next step after a penetration test and after you fully understand the report is to develop an initial plan of action. We provide a soft copy of our technical findings report, which lists each vulnerability, the associated risk, and recommended remediation. We encourage you to use this report and make it your own. Add columns to the spreadsheet to track things like how it will be fixed, what resources are required, how much time it will take, who will be responsible for the change, etc. This will help everyone get on the same page as far as what is involved and allow you to come up with an initial game plan to take to management. There are a couple of key pieces of advice when developing this game-plan that we need to cover.
Use a Risk Based Approach
First, it is important when coming up with the initial game plan after a penetration test to use a risk-based approach. You want to focus your efforts on what is going to give you the most bang for your buck. Focus on the Return on Investment (ROI) for each fix. There may be several remediations you can do all at one time by modifying your GPO to fix multiple critical and high vulnerabilities in your environment. This is a relatively quick fix, but can have a major impact on your overall risk. Similarly, there may be some items that, while you would like to fix them, need to be placed on the back-burner because they are just too expensive or require a larger project to fix. For example, segmenting your network is a major project that needs to be thought out and budgeted for, so it’s not something that would normally be considered a “quick fix.”
You Don’t Have to Fix Everything
Something else to consider: you don’t have to fix everything in the report in most situations. There are certain situations, where compliance or a third-party might require a clean penetration test report, but for the majority of our clients, not everything has to be fixed. Again, going back to the ROI, some things may need to be risk-accepted for the time being. For example, if there is a low severity finding for a wildcard certificate, but the system design means using individual certificates won’t work because of cost or technology limitations, then feel free to accept that risk. With that being said, it is important that for every risk you accept, you need to document that and ensure management is signing off on that risk.
Summary
In this first of a two-part series, we focused on what to do immediately after a penetration test. First, you need to ensure you understand the report inside and out. Ask questions if you need more information. Next, you need to come up with an initial game plan prior to taking it to management. This should be based on risk and the resources involved in fixing the items. Keep in mind that not every vulnerability can be fixed, nor do they have to be, but you should have a process in place to accept the risk for any residual vulnerabilities. In our next blog, we will look at the next steps after this game-plan is developed.