The need for penetration testing has become a fact of life in 2016. As businesses grow more reliant on online activities — and often require 100 percent effective network uptime — penetration testing remains the best way to ensure your systems are safe and secure.
However, penetration testing is definitely not a “set it and forget it” security process for your organization. As part of a comprehensive incident response plan, penetration testing needs to be tailored to your specific needs and the specific topography of your network landscape.
Here are six key tips to ensure your penetration testing is effective and well suited to your systems.
Tip #1: Plan out Your Penetration Testing Calendar Once Per Quarter
To be most effective, your penetration tests should be a regularly scheduled component of your incident response plan. Just like you should regularly schedule “disaster drills” to keep your personnel’s skills up to date, you also need to regularly schedule your penetration tests.
Scheduling your penetration tests has the additional benefit of imparting a degree of predictability to your budget planning and ensures all relevant personnel can properly prepare for each test ahead of time.
Tip #2: Take a Step Back — What Are You Trying to Protect?
Penetration testing isn’t a one-size-fits-all procedure — instead, it must be targeted to assess your specific network security needs. Before you can begin planning effectively, your organization must ask itself what it’s trying to protect.
If you’re an e-commerce company, systems for inventory, payment processing and vendor management are likely your top priority. Similarly, an accounting firm would probably consider its client records, compliance management systems and data confidentiality to be paramount.
Whatever your organization’s primary function, always make sure your penetration testing is configured to probe any vulnerabilities in your mission-critical systems. Once those systems are verified as secure, you can begin moving on to secondary and support systems to complete the testing routines.
Tip #3: Select the Right Tools
Your penetration testing tools must be able to handle the complexity of your systems environment but shouldn’t be too complex to use effectively. The best penetration testing solutions will let you pick and choose to find the features that are most relevant to your needs while discarding the rest.
Ensuring your tools are a good fit also helps you keep costs down, as your personnel won’t need to waste time on performing unnecessary testing procedures or maintaining unnecessary testing tools.
Tip #4: Have a Reputable Firm Provide Periodic External Testing
Bringing in an outside firm to periodically conduct their own testing routines is a good way to ensure your procedures are in top shape. In any organization, tiny mistakes or oversights can compound over time, and it can be nearly impossible to get a truly objective perspective from the inside.
A reputable outside firm can take a fresh look at your penetration testing needs while bringing their own unique experience to the endeavor. Relevant firms can often provide additional assistance by leveraging real-world tactics and specific certifications that your own teams may not possess.
Dedicated firms also usually have more robust tools, processes and methods for penetration testing, ensuring your systems receive the most thorough examination. By developing customized testing routines, an outside firm can work with your team while not just testing your environment, but also creating simulated incidents that allow your team to more effectively put your in-house incident response plan through its paces.
Tip #5: Keep Physical Security Tight
Truly effective penetration testing is about more than your network software and hardware. Even with the most effectively configured firewalls, your facilities themselves need to be secure in order to provide the highest degree of safety. While it may seem obvious, security loopholes like unprotected network jacks or unlocked server rooms are more common than you might think.
Accordingly, it’s always a good idea to ensure your facilities and physical infrastructure are as secure as they can be. When planning your testing, include routines to evaluate issues like keycard security, on-site vendor access and visitor clearance procedures.
It’s also a good idea to consider potential events that might put your information at risk. For example, if a fire alarm requires the evacuation of your entire building, what procedures do you have in place to lock down your mission-critical facilities until normal operations can resume while still giving emergency personnel the access they require?
Tip #6: Make Remediation a Priority
Once your penetration testing has concluded, you may end up with a long list of vulnerabilities that need to be addressed. It’s important to remember that remediating those vulnerabilities is just as important as the testing itself.
To keep the task manageable and organized, always start your remediation efforts by addressing vulnerabilities along interconnected systems paths. For example, if you’ve identified a vulnerability in one specific server cluster, make sure your remediation efforts address all media connected to that cluster. Whether the connected components are apps, other network nodes, web pages or more, following the path from beginning to end will help ensure that you’re applying the most effective solution.
Contact Garland Heart today to schedule a consultation and discover how you can improve your penetration testing procedures and maximize your systems' safety.