Penetration testing (pen test) identifies weaknesses in your security that a threat actor could exploit. In a previous blog, I talked about how to prepare for an external penetration test. Today, we are focusing on an internal penetration test and the steps you can take to make the process easier for you and your team.
Testing your internal network is just as important as assessing your external security controls. This type of test shows what could be exploited if a disgruntled employee or a bad actor gains access to your network. The tools and methodologies may differ from an external penetration test, but the goal is the same: find out how someone could bypass existing controls to compromise the environment.
There are four key elements I believe should be addressed prior to engaging a company to conduct a pen test:
Updated Network Inventory
Before you reach out to a company to have them conduct your internal penetration test, you need to define exactly what will be assessed. Inventory your network and know what you want to assess. In most cases, I would say test everything; however, there are exceptions. For example, in a manufacturing environment, you may have an old SCADA (supervisory control and data acquisition) system that could be negatively affected by a scan, the same could be true for PLCs (programmable logic controllers).
Backups
Ensure you have good, recent backups of your critical systems and components before starting a pen test. Pen tests are not designed to negatively affect your business operations, but it is better to be prepared if something happens. As I just mentioned with manufacturing, systems can be sensitive, so having current backups can reduce the potential for lost production time. On a separate note, if you have not evaluated your backup restoration procedures, now would be an opportune time to do so.
Points of Contact
A critical and sometimes overlooked piece is key points of contact. Make sure to provide the pen testing company with your contact information and be sure to get theirs as well. Have the information readily available during testing if an event occurs that requires the testing to be paused or stopped.
Communication Channels
Clearly define who, when, and how someone should be contacted for standard communications and a potential emergency. Providing an escalation path or call tree ahead of time will eliminate potential confusion should an emergency arise. During the pen test, be sure to keep the lines of communication open with your pen testing vendor.
Once you have selected a vendor for your penetration test, be sure to address any concerns or questions you have about the overall process. They may ask if you want to conduct a credentialed test and my recommendation is to say yes. A credentialed test typically requires creating a generic user account with those credentials to be used specifically for the pen test. A credentialed test will give you more insight into what a generic user account can do on your network and may reveal excessive privilege assignments for that role.
When the testing is concluded and you get the findings report, relax. If your environment is really locked down and the findings are negligible, that would be impressive! If your report revealed significant vulnerabilities and gaps with your internal security controls, remember, you paid a company to find the potential issues and they are helping you become more secure. Seek their guidance for the best approach for addressing the issues that were uncovered. After that, lay out a methodical approach to address the highest priority issues first, but do not overlook the low hanging fruit. Those quick wins can help build momentum and reinforce the positive controls you are putting in place.
Once you have addressed the issues in your pen test, you may want to consider asking your vendor to conduct a post remediation scan of your environment. The post remediation scan serves two purposes. First, it validates whether you have properly remediated a specific finding from the pen test. Second, it can reveal if you may have introduced another vulnerability due to potential misconfiguration.
Remember, the goal of an internal penetration test is to make your network as safe and secure as possible. If something is uncovered of which you were not aware, be thankful the vendor you hired found it before a bad actor did.
If your organization needs an internal penetration test, our expert team is here to help. We'll work with you to minimize disruptions and ensure your team feels confident throughout the process. Click here to learn more about our penetration testing services.