5 Steps to Prepare for Your Penetration Test
Penetration testing is of course a major component of any security strategy. If you're preparing for your first penetration test, it's essential to ensure you're well-prepared to maximize the value of this assessment. This article outlines five key steps to help you get ready for a successful penetration test.
My name is Josh Tomkiel, and I serve as the Managing Director of the penetration testing team at Schellman. With over a decade of experience in cybersecurity, ranging from hands-on penetration testing to developing the frameworks our teams use today, I've gained valuable insights into what makes a penetration test truly effective.
Let's explore the five essential steps you should take before your penetration test to ensure you get the best results and maximum value from your assessment.
Step 1: Know Your Environment
The first and most important step in preparing for a penetration test is to have a comprehensive understanding of your IT environment. This means having robust asset management processes in place. You should be aware of:
- Internet-facing hosts
- Assets on your internal networks
- Resources in your cloud environments
This information is vital because it determines the scope of the penetration test. While penetration testing firms can perform reconnaissance, their ability to discover all your assets is limited. Providing an accurate and comprehensive scope to the testing firm ensures more effective use of time and resources during the assessment.
Step 2: Conduct Vulnerability Scans
Before the penetration test begins, it's advisable to perform vulnerability scans on your infrastructure. Here are key points to consider:
- Utilize a commercial vulnerability scanning solution (e.g., Tenable's Nessus, Qualys)
- Ensure scans are run with all plugins enabled
- For internal networks, use authenticated scans for more comprehensive results
It's important to note that while vulnerability scanners are highly effective for network infrastructure, they may have limitations when it comes to web applications. Scanners often struggle with understanding business logic, which is where manual penetration testing excels. However, scanning web applications is still beneficial and recommended.
For cloud environments, particularly services like AWS, consider conducting a security configuration review. This can help identify misconfigurations in services like S3 buckets or security groups that might expose sensitive resources to the internet.
Step 3: Internal Communication and Scheduling
Effective communication within your organization is needed for a smooth penetration testing process.
Ensure that:
- Relevant internal teams are aware of the upcoming penetration test
- The test is scheduled to avoid conflicts with change freezes or other important IT operations
- You're aware of any compliance requirements that might dictate the timing of the test
Remember, penetration testing often occurs in production environments, so coordinating with various teams is essential to minimize disruption and ensure a successful assessment.
Step 4: Prepare Test Environments for Web Applications
If your penetration test includes web application assessment, preparation is key:
- Set up a dedicated test environment that mirrors your production setup
- Populate the environment with representative test data
- Ensure the test environment is fully operational before the start of the engagement
A well-prepared test environment allows for a more thorough and accurate assessment of your web applications.
Step 5: Allow Sufficient Time for Planning
Begin discussions with penetration testing firms well in advance of when you need the final report. We recommend starting this process at least three months before your deadline. Here's why:
- A typical authenticated web application assessment takes no less than two weeks
- Report review and finalization can take an additional week
- Contract execution, including legal review and approvals, can be a lengthy process
Starting early helps avoid rush fees and last-minute scheduling conflicts, and ensures you receive your report by the required deadline, which is particularly important for compliance purposes.
Wrapping it Up
Preparing for a penetration test requires careful planning and coordination. By following these five steps – knowing your environment, conducting vulnerability scans, communicating internally, preparing test environments, and starting the process early – you set the stage for a successful pen test.
Your responsibilities do not end once the contract is executed. Continued cooperation with the penetration testing firm, ongoing internal communication, and ensuring proper access for testers are all equally important.
If you need guidance on your next penetration testing initiative or have questions about the process, please don't hesitate to reach out. At Schellman, we're committed to helping organizations improve their security posture through penetration testing and other compliance frameworks.
About Josh Tomkiel
Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.