Throughout our 25+ years in business, NetWorks Group has heard about a range of pentest experiences from customers and partners — with different expectations and even greater differences in outcomes.
To summarize their feedback and help you identify potential issues to avoid, here are some general categories of pentesting formats.
We can’t stress this enough: Knowing what you’d like to achieve before you start allows you to select the right approach for your business. When it comes to pentests, there are many types offered and not all are advisable:
- “Capture the flag” pentests. Some pentests are just designed to prove to the client that the vendor can get in. But a pentest that is seen as a competition to “win against your business” is a low quality pentest and brings little value. The goal should not be for the vendor to prove they can breach your system — it should be to improve your security. Moreover, these lower quality pentests typically focus on the easiest way in (the least comprehensive option), provide a very narrow picture and fail to share lessons learned. They tend to focus on how the attack worked rather than what to do to improve in the future.
Keep in mind that pentesting is a means to an end. Your vendor should be able to explain what they found, how and why. And, most importantly, they should be able to guide your company on what steps to take and how to prioritize those actions.
- TMI (Too Much Information) pentests. Some of our customers and partners mention receiving a 200 page report that is not contextual and is almost impossible to implement. Findings are vague and open to debate. TMI pentests are often insufficient because they just overwhelm the scarce resources on your team rather than directing you to the areas where you can have the biggest impact on improving your cyber resiliency. Context and specificity are critical.
- Vulnerability scans disguised as pentests. Running a scan to detect vulnerabilities is not a pentest, particularly when the scan is simply running a standard software. Often, these types of tests don’t detect your environment's unique elements or how deliberate configurations can be chained together by today’s skilled attackers to gain a foothold. Automated scans are useful, but they’re not a replacement for a high-quality pentest.
- “Fresh eyes see more” pentests. Some companies change vendors regularly because they believe a “fresh pair of eyes” will detect issues that went unnoticed before. But security and pentesting are complex. It’s not a new approach but rather a sound methodology that uses the latest tactics, techniques and procedures that makes a difference.
In fact, finding — and keeping — a trusted vendor is an essential part of navigating your security evolution.
- “Check the box” pentests. Companies need to ensure compliance and prove it. But a test that is focused on arbitrarily “ticking the boxes” to satisfy minimum requirements is a missed opportunity. This type of exercise often results in wasted money, time and a false sense of security.
- Actionable and pragmatic pentests. As you’d expect, we saved the best approach for last. A high-quality pentest should be practical and immediately actionable with concise, easy-to-understand reports. It should allow your organization to effectively and quickly act upon the findings to meaningfully improve cyber resiliency.
Security is not a static field. Real-world attacks are mutating at an alarming speed; your resiliency will improve as you evolve and adapt. Pentests should play a central role in your long-term security strategy rather than just being a stand-alone tactic.
To learn more about how pentesting works, read our ebook on high-quality pentesting. You can also schedule time to review a sample pentesting report with one of our ethical hackers here.
—
About the Author: Chris Neuwirth is Vice President of Cyber Risk at NetWorks Group. He leverages his expertise to proactively help organizations understand their risks so they can prioritize remediations to safeguard against malicious actors. Keep the conversation going with Chris and NetWorks Group on LinkedIn at @CybrSec and @NetWorksGroup, respectively.
Published By: Chris Neuwirth, Senior Penetration Tester
Publish Date: October 30, 2024
