Note from the Editor: This blog is the 4th installment of an 8-part blog series entitled, “Everything you need to know about an External Penetration Test.” To read series from the beginning, start at “What is an External Penetration Test?”
While everyone hopes that when they conduct an external penetration test everything goes according to plan. The truth is that sometimes, that’s just not the case. There are a litany of issues that can pop up during penetration testing in general. While 95% of the time things go smoothly, you should be fully aware of what can go wrong.
Potential Issues on an External Penetration Test
Systems Can Go Down
Systems crash for a variety of reasons such as a misconfiguration, an old server on the perimeter, or a particularly bad vulnerability. While we do everything in our power to prevent taking something down, there is always some level of residual risk with taking a black box approach and actively exploiting detected vulnerabilities. Whatever reason causes that particular system to crash is something that you want to know about, as anyone on the Internet could induce that crash.
What you can do: If there are any old or particularly sensitive hosts on your perimeter, let your testing organization know during the project initiation meeting, otherwise known as the kick-off call, when discussing the Rules of Engagement. If there are particularly critical systems that could cause significant harm to your business if they went down, consider having the testing on those performed after regular business hours.
Data Corruption
This issue can occur due to failures or certain kinds of vulnerabilities. If there is a SQL Injection issue, placing a single quote into a field could modify or drop data in your database. You’d definitely want to know about this issue. But, only after your rage subsided from potentially having to restore portions of your production database. Again, in anything but extreme scenarios, experienced penetration testers can avoid database modifications but the potential is there.
What you can do: Prior to testing beginning, it’s a great idea to double check your organizational back-ups and restoration procedures.
You’ve Already Been Compromised
There’s a great saying in the security community that there are two types of organizations out there: those that have been breached and those that don’t know they have been breached. While not every assessment, it’s not uncommon to discover that an organization’s assets have already been compromised when performing testing. I wouldn’t necessarily classify this as a potential problem but it’s important to understand that it does happen. Should this be the case, we will immediately stop testing and notify our contact about what we’ve found. We’ll help you in any way we can to resolve the issue, and once you’ve given us the ok, we’ll proceed.
What you can do: It’s a great idea to have a continuous monitoring process that looks at systems, event logs, and alerts on a regular basis to identify potential breaches and security incidents as soon as possible.
Now you’ve scared me…
It’s not as bad as it sounds. As mentioned above, these issues don’t happen often. But with some proper planning and good security hygiene, you can help make sure they don’t happen to you. As penetration testers, we want to do everything we can to set you up for a successful penetration test. After all, one of the major benefits of a penetration test is to find and fix issues before they cause problems. For more information about external penetration testing and how we can help your higher ed institution, please contact us today.
About the Author:
JR Johnson is the Director of Penetration Testing at SIG. He holds a BS in Computer Science Engineering from the University of Florida. And, a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
