Note from the Editor: This blog is the last of a 10-part series entitled, “Everything you need to know about an Internal Penetration Test.” To read the series from the beginning, please go to the blog, What is an Internal Penetration Test?
For many, completing a penetration test is an eye-opening experience. It helps quantify the security risks in your environment and as a result, the reactions vary wildly. Some may lose sleep and perform fixes immediately without any set plan in place. (Which could accidentally introduce new vulnerabilities). Others get distracted by the day-to-day demands of their security program. And as a result, these vulnerabilities will sit until the next yearly penetration test comes along. This blog helps to lay out a plan of action on what to expect after a penetration test. And, the best course of action to get the most out of a penetration test.
Expectations and Actions Post Penetration Test
Read and Understand the Report
Before jumping into action, it is imperative that you fully understand your penetration test report. There may be some quick fixes that you know you can easily address. However, making any changes before understanding the whole report may cause you to take actions that you will have to undo later. Therefore, after a penetration test it is important you understand all of the vulnerabilities and how they fit together before you dive into remediation.
At SIG Cyber, we will give you the report review before meeting for a deliverable review. During this meeting, we will go over all of the vulnerabilities associated with each of the tested environments. And, we will discuss what the risk is to your overall security posture. We encourage you to ask questions during the review. We want to ensure you fully grasp each vulnerability and the recommended fix actions. After this meeting you may want to review the report again. Your lead engineer will be available for questions a week later, a month later, or 6 months later. We value our client partnerships and want to improve your security. Please don’t be afraid to ask follow-up questions, we are happy to help.
Develop an Initial Plan of Action
The next step after you fully understand the report, is to develop an initial plan of action. We provide a soft copy of our technical findings report, which lists each vulnerability, the associated risk, and recommended remediation. We encourage you to use this report and make it your own. Add columns to the spreadsheet to track things like how it will be fixed, what resources are required, how much time it will take, who will be responsible for the change, etc. This will help everyone get on the same page as far as what is involved and allow you to come up with an initial game plan to take to management.
There are a couple of key pieces of advice when developing this game-plan:
Use a Risk Based Approach
First, it is important to use a risk-based approach. You want to focus your efforts on what is going to give you the biggest bang for your buck. Focus on the Return on Investment (ROI) for each fix. There may be several remediations you can do all at one time by modifying your GPO to fix multiple critical and high vulnerabilities in your environment. This is a relatively quick fix, but can have a major impact on your overall risk. Similarly, there may be some items that, while you would like to fix them, need to be placed on the back-burner because they are just too expensive or require a larger project to fix. For example, segmenting your network is a major project that needs to be thought out and budgeted for, so it’s not something that would normally be considered a “quick fix.”
You Don’t Have to Fix Everything
In most situations, you don’t have to fix everything in the report. Sometimes, compliance or a third-party require a clean penetration test report. But, for the majority of our clients, you don’t have to fix everything. Again, going back to the ROI, you may need to accept the risk of somethings for the time being. For example, if there is a low severity finding for a wildcard certificate, but the system design means using individual certificates won’t work because of cost or technology limitations, then feel free to accept that risk. Keep in mind though, for every risk you accept, you need to document that and ensure management is signing off on that risk.
Organizational Buy In
Upper Management
After you have the initial game plan in place, it is time to present both the results of the penetration test and your proposed plan for remediation to upper management. Showing upper management that you have a plan in place is a vital step to show that you are being proactive and to help ease the shock of the report, especially if the results uncovered significant issues. With that being said, don’t be afraid to present the penetration testing report in full. If needed, we’re always happy to present the results of an assessment to your management with you. It is important not to hide things or try and sugar-coat anything because this can lead to problems down the road. There are two important things to consider here. First, your management is ultimately responsible for the security of the organization so they need to fully understand all of the risks. Second, hiding things will make it harder to get the resources and buy-in necessary for remediation.
Many of the changes required to fix the vulnerabilities found in a penetration test will require resources which in turn require management buy-in. This may be additional budget to pay for security controls or more tools. It also might be a free change that requires organizational changes or cultural changes. For example, you may want to increase your password policy, an infamous battle in security, but your users don’t want to have to type longer passwords. Before making these changes, you need your upper management’s buy-in to help you get the backing you need for unpopular changes.
Entire Organization
In addition to upper-management buy-in, it is important to get buy-in across the rest of organization, as well. We recommend using awareness training to educate employees about the risks you are facing and the associated security controls. We also recommend using screenshots from the penetration testing report in your awareness training where it makes sense, especially if you had a social engineering assessment performed. Security is everyone’s responsibility and you need the organization to be aware and to know what changes to expect as part of the remediation efforts. This will help them understand why these changes are necessary and help make these changes as seamless as possible.
Update the Game Plan
After meeting with upper-management, it is likely that your initial game-plan will need some modifications. Upper management is in a better position to understand the business and operational side of the house, so they may choose to accept some risk, expedite certain fixes, or modify the approach you take to fix certain vulnerabilities. Therefore, you will likely need to spend some time after presenting the plan to update and change it based on the discussion. Once the changes are made, ensure to get a final sign-off on the plan, as it will help get everyone on the same page and prevent further changes to the plan down the road.
Executing the Plan
After we have a plan in place, it is now time to start executing the plan. Understandably, this is likely going to be the longest and most complex step in the process. As such, go ahead and schedule regular update meetings to review the progress and ensure the plan is being followed. Ensure every remediation action has an owner, who is responsible for tracking and implementing the fix. Additionally, if you use help-desk tickets, creating tickets is a great way to track progress. If you don’t have a ticket system, you may want to use the technical findings report we provide to track progress. Add columns about expected fix dates, status, and remediation notes. Combining a tracking system with regular progress meetings will help ensure you are on track and fix items do not get lost in other day-to-day security operations.
Validate Fix Items
After you fix any item, it is important to test the fix. This will ensure it properly mitigates the risk of a vulnerability. And to ensure no new vulnerabilities were introduced. This can be done in-house. Or, you can use the firm that performed the initial assessment, or another trusted third-party to retest the findings to make sure they were properly fixed. This may be necessary if you are performing the initial penetration test for compliance or a third-party customer approval.
Summary
Completing a penetration test is only the first step. What comes next is critically important for your institution. Ensuring you have a well-thoughtout game plan to address the test results will help your higher ed institution stay secure. This will help ensure your security posture increases year after year. At SIG, we want to partner with you to better your security. This means if you need our assistance at any step in the process, please reach out to us.
About the Author
Matt is Director of Penetration Testing at SIG. He currently has his PCI QSA, CISSP, OSCP, C|EH, GSEC, GCIH, and CISA certifications. You can find Matt on Twitter @InfoSecMatthew.
