Pen Test: What You Need to Know Before Starting


You need a Penetration Test or “Pen Test!” You’ve heard you need one for compliance, or someone just thinks it’s a good idea.

Where do you start?

Should you hire a firm or try it with your current staff, and what do you actually need out of a Pen Test?

Is your network secure and what do hackers already know about your network?

In this post, we’ll give you helpful information on how to get started on your organization’s Pen Test. If you’re trying to learn more about what’s right for your company, you’re in the right place.

Penetration Testing is one of the most innovative and unique ways to protect your network. However, there are some things that you should know about Pen Testing before believing all of the hype. Here are some of the most important things to know so that you can make an informed decision about when and how to use this important new security practice.

Let’s get our definitions straight first!

A Vulnerability Scan uses an automated tool to find known attacks against the software on your network. It delivers an automated report that shows specific devices with known vulnerability or configuration errors.

A Vulnerability Assessment is a manual process with interviews of your staff, reviews of documentation, and vulnerability scans. Vulnerability Assessments deliver a report showing your strengths and weaknesses from that process. Vulnerability Assessments, a.k.a Security Assessments, can also be performed against a compliance framework or matrix, such as NIST 800-53 or NIST 800-171.

Pen testers will attack your network in the same manner as a hacker would.

Penetration Testing actively tests your network security for things you don’t know about. Penetration Testers will recon and “attack” your network like a malicious hacker would. As a result, the Penetration Testers may uncover new, unmarked vulnerabilities due to their experience or ingenuity. The reason that Penetration Tests are so unique is that they simulate the actions of an attacker. Another way to think of penetration testing is vulnerability testing. While a vulnerability scan just detects the issue, a pen test actually determines if you can exploit it.

Choose your Pen Test Tools Wisely.

Not all tools are created or priced equally, and Pen Testing is just as much an art as a science. Make sure that you invest in testing tools that fit your needs. Remember that a skilled tester will make all the difference in your results, regardless of how powerful your tools are. There are a variety of application pen testing tools available, some free and some insanely expensive!

Free may not be Free

Some tool sets and frameworks like Kali or MetaSploit are either free or have free versions. However, if you don’t know what you are doing, you will spend more money in salary and get poor results. If you’re going to try Pen Testing in house, take the time and spend money on training or outsource your Pen Test to a qualified Penetration Testing Vendor.

Manual testing gets further in the network vs automated testing.

Currently, the best automated testing is scanning and firing off exploits at known targets. The reason that security always has to be updated is the human element – the innovation and illogical moves that humans make to find new vulnerabilities. No scanning mechanism is going to be able to follow the actions of a truly driven, capable hacker, especially not in real time. Only another human being can do that. These non-linear steps allow people to find documents with passwords and other valuable information that is above and beyond firing off known quality exploits. In short, don’t accept an automated test as a full Pen Test.

Pen Testing isn’t just hacking

You need a good report in the right format for compliance. The right tools will offer output in a format that will make report writing easy. However, nothing beats a human when performing pen test analysis. When selecting your tools or pen testing companies, this is a main consideration!

Pen Testing should include social engineering.

Email phishing gives is the #1 entrance vector for malicious attacks.

True Pen Testing does much more than close up technological holes. Many hackers build their attack plan from the information that your customers and company freely give away on social media. Do not overlook social engineering exploits in your Pen Testing, and make sure that your tester understands that this aspect of testing is to be included along with the technical analysis.

Examples of tried and true Social Engineering attempts:

  • Email Phishing: #1 Entrance Vector!

  • USB Stick Dropped in the Parking Lot: Chances are your employees will pick it up and plug it in.

  • Call from the IT department to Fix an Issue Remotely

Should employees conduct the Pen Testing?

Ideally, you want fresh eyes on your network, so you should always consider outsourcing your initial Pen Tests to dedicated experts. However, nothing says that your employees cannot perform routine maintenance between out sourced tests, giving your employees the responsibility of a periodic check. You may be able to find a vulnerability that would have otherwise caused a problem down the road.

Pen Testing may not be optional.

Depending on your industry, you may be required to conduct Pen Tests in the near future, if not now. Pen Tests are an often used procedure for health care companies and commercial banks to remain in compliance with HIPAA standards and the Gramm Leach Bliley Act. If your business accepts credit cards, you may use Pen Tests as an easy way to remain in compliance with the Payment Card Industry Data Security Standard.

You will need to check which regulations your organization falls under and their specific Pen Test requirements.

About Patrick Stump

The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.

Connect with Patrick on LinkedIn