As most know, the SecuSolutions team are strong advocates of penetration testing and red teaming. It’s a sizable chunk of our business and growing month over month thanks to the referrals and repeat business we are enjoying; however, it’s not always smooth sailing.

The Good

Depending on which side of the aisle you’re standing on, penetration testing can be a blessing or a curse. If you’re on our side, you view it as a valuable experience that helps the customer understand what they are doing right, and what they could be doing better as it concerns their security. It’s a chance to validate the security controls that have been implemented to see if they are working as advertised. It’s a chance for an organization to test their detection abilities and response to a threat. The goal is to identify, validate, and remediate everything a pen testing team finds during the engagement and to harden the infrastructure as much as possible. This is how pen testing should be viewed.

The Bad

Occasionally we meet resistance from the other side. Inevitably we run into a devoted IT manager, system or network admin, developer or manger that views us as the enemy. The network is their baby, and no one is going to mess with the way they have set things up or the security controls they have implemented. In their eyes, we are like a crime scene in a Hollywood movie where the local cops are on site investigating and the FBI shows up…to take it from here… this misperception occurs for many reasons. One reason is that in many cases, the company has simply never had a penetration test before and is concerned about the issues we may uncover. They’re worried it may make them look bad to their peers or to their boss. Another - the customer may have their security outsourced by a security firm that is “managing” their security as is the case with many MSPs. The MSP’s do not like us to expose their inadequacies. Or it may be that the person in charge blew their budget on some cleverly marketed magic security thingy, and they do not want us to point out its weakness or shortcomings because they feel they don’t have the funds to fix it.

The Ugly

Once in while we may even come across a customer whose IT team is determined to dictate how a penetration test should be performed. In other words, what methods or techniques we use to infiltrate the infrastructure and even where we can or cannot look. This usually happens because the customers IT team knows they are weak in one or more areas and don’t want us to bring it up in a report for fear of embarrassment. In rare cases, the customers IT team has requested us to redact elements of the penetration test before it is presented to management. This is to save their bacon and likely some good old-fashioned reprimanding.

Conclusion

This article is to emphasis the importance of keeping it real and being open and honest as it relates to security. There is no silver bullet, there is no perfect plan when it comes to security. There is no superstar that knows everything there is to know about security. Security is all about applying layers of controls, procedures and technology, consistently managing them and “testing” them to ensure they are all working the way they should be. All these measures are like speed bumps and roadblocks to a hacker. The more there are, the less interested they will be in your infrastructure.

If you’re considering a penetration test, be prepared to open up. The team is there to help strengthen your existing controls and not to humiliate you. Hackers don’t care about feelings, and nor should you. We have had the good fortune of turning many an IT practitioner around to help them understand that we are on the same team. If you are considering options for penetration testing, contact us for a free consultation and find out what’s involved.