Note from the Editor: This blog is part 7 of a 10-part series on Everything you need to know about an Internal Penetration Test. To read the series from the beginning, please go to the blog, What is an Internal Penetration Test?
Typically, an internal penetration test is conducted without any issues. However, there are a few things that can go wrong with an internal penetration test that deserve some consideration. In this blog, we will explore some of these potential issues and what you can do to help prevent them.
Internal Penetration Test – Potential Issues
System Crash
A system crash can happen for a variety of reasons: misconfigurations, an old server running an unsupported operating system, or a particularly bad vulnerability. While we do everything possible to prevent a system crash, there is always some level of residual risk when taking a black box approach to testing and actively exploiting vulnerabilities. However, whatever issue causes a particular system to crash is something that you want to know about.
What you can do: If there are any old or particularly sensitive hosts in scope, let your penetration testing team know. This is something to discuss during the project initiation meeting when defining the Rules of Engagement. If there are particularly critical systems that could cause significant harm to your business if they went down, consider having the testing on those performed after regular business hours or during maintenance windows.
Data Corruption
This issue can occur due to security control failures or certain kinds of vulnerabilities. For example, if there is a SQL Injection issue, placing a single quote into a field could modify or drop data in your database. Again, in anything but extreme scenarios, experienced penetration testers can avoid database modifications. But, it’s important to keep in mind the potential for data corruption does exist.
What you can do: Prior to testing it’s a great idea to double check your organizational back-ups and restoration procedures. (You should be doing that on a regular basis anyway.)
Existing Compromise
There’s a saying in the security community that there are two types of organizations: those that have been breached and those that don’t know they’ve been breached. We do sometimes discover an organization has already been compromised during testing. I wouldn’t necessarily classify this as a potential problem, but it’s important to understand that it does happen. In the event of an exisiting compromise, we will immediately stop testing. We will notify our emergency point of contact about what we’ve found. We’ll help you in any way we can to resolve the issue. And once the issue has been addressed, we will proceed with testing where we left off.
What you can do: Have a continuous monitoring process that looks at systems, event logs, and alerts on a regular basis to identify potential breaches and security incidents. You can help prepare for issues that you’ve missed by reviewing your organizational Incident Response policy and making sure you’ve exercised it recently.
Test Anxiety
You may be thinking that now you’re not sure you want to do an internal penetration test now. It’s not as bad as it sounds. As mentioned above, these issues don’t happen often. And with some proper planning and good security hygiene, you can help make sure they don’t happen to your institution. As penetration testers, we want to do everything we can to set you up for a successful penetration test and prevent any potential disruptions. After all, one of the major benefits of a penetration test is to find and fix issues before they cause problems for the institution.
Contact us today to learn more how we can help fix any potential issues before they become a problem for your institution.
About the Author
Matt is Director of Penetration Testing at SIG. He currently has his PCI QSA, CISSP, OSCP, C|EH, GSEC, GCIH, and CISA certifications. Matt can be found on twitter @InfoSecMatthew.
