So, you or a consultant executed a penetration test on your business and now you have the test results report. Each report is going to show you different tasks that need remediation. Obviously, you need to take care of these issues, but how do you start and what other areas should you look at?
At this point, your company is going from a defensive mindset to an offensive security mindset. You need to use the report to look for other areas of your business that are weak and fix the ones you’ve identified in your penetration testing results. Offensive security is all about two areas of improvement: tactical and strategic. We’ll break down our suggestions into those key areas.
Tactical Penetration Testing Report Suggestions
What is a tactical suggestion? These are the areas you address directly based on the results of your penetration test. They are short-term fixes to help deal with immediate risks, whether they’re low risk or high risk. Here are a few examples:
Diversify Access Capabilities on Your SQL Server
Not everyone should have the same level of access to your database. For instance, some database admins might need the ability to add or remove tables. On the other hand, a marketing analyst might need the ability to run basic reporting access, so they can join tables using select statements. Limited access means less hacking opportunity.
Delete Unused Network Users
You might find that you have some test users on your network with generic usernames and passwords. You might also identify former employees who never had their account deleted from the system. These are prime areas for a hacker to take advantage of, so simply delete these accounts. Just ensure they’re not being used for anything!
Tactical recommendations should be dealt with as quickly as possible since they’ve already been identified as a vulnerability. Your penetration testing report might not have included smart priority levels for your business, so how do you determine the order? According to pentest-standard.org, you need to evaluate incident frequency (actual or estimation), estimate loss magnitude per incident, and derive the risk (based on data exposed and overlapping issues). Assign each a numerical value using Excel and apply that to every tactical suggestion and sort it by the number. This is now your priority level.
Strategic Penetration Testing Report Suggestions
What is a strategic suggestion? This deals with your entire business processes, specifically corporate governance procedures (including the execution of the procedures) and general management issues (both human management and data management).
These may or may not be listed in your penetration testing report. However, you should use that to brainstorm other gaps that are business specific to you. When you bring in a consultant, they might not think of every business use case, but your management teams (across departments) should be able to. Here are a few examples:
Set the Frequency of Penetration Tests
Using your first penetration test as a template, repeat tasks on the test and see if you get better. Set corporate goals to ensure your company is becoming more secure.
Implement Verbal Two-Factor Authentication
Especially for people with purchasing power, try implementing a verbal two-factor authentication for any decisions made by managers who are offsite. For instance, if the CEO tells a subordinate to transfer 00 million to a bank account overseas ASAP via an email, the CEO would need to call the team member and deliver the verbal authorization code to ensure this isn’t a social engineering attack.
File Governance and Management
Ask your managers if they know where their files are, how they’re accessed and how they may be entering and exiting your organization. If you get blank stares, you have a compliance issue at the root of your data: the files. Go find a file governance, management and access tool that gives you auditing and visual tracking over files and user access. Save yourself some time and just contact SmartFile, we’ll help you out.
Strategic tactics take longer to execute because they can involve multiple layers of management. The last thing you want is to create processes that impede the business or force users to turn to shadow IT solutions for their problems. Listen to management and employees, and then educate them on the risk. Taking their feedback into account, find solutions for these strategic issues.
Now Go Get Started
Your pen testing report is just the first step. You need to take action quickly (like right now!), and that may involve more than just shutting down an open port or fixing a SQL injection opportunity on your website. Work with your entire business to make sure your company has efficient governance, management and access controls.
LOCK DOWN YOUR NETWORK
FREE PENETRATION TESTING COURSE
- Social engineering
- Port scanning
- SQL injecting
- Anti-virus evading
- Client side attacking