Pentests Yes, but Please Do It Correctly!

Penetration testing is important, but is it doing what it’s supposed to do? Without thorough planning and professional implementation, inferior pen tests lead to undetected vulnerabilities and expose companies to unnecessary attack vectors.

One of the most effective methods of uncovering weaknesses in a security concept is for third parties to carry out planned hacker attacks on the system. Penetration testing, also known as pen testing, is about uncovering gaps in IT security so that they can be closed before someone with malicious intent can take advantage of them. There are different types of pen tests that target different aspects of a business.

From network infrastructure to applications and devices to employees, there are many potential avenues of attack for a hacker targeting an organization. The advantage of an experienced independent pen testing partner is that they approach the problem with an open mind and try to mimic a malicious hacker by looking for vulnerabilities and trying different techniques and tools to penetrate a network.

Below are common errors and helpful tips that can help users avoid threats:

Inadequate risk management

One of the first things the user can do to improve the security posture is to assess the potential risks. As a result, the company knows where the greatest risks lie dormant. This information must serve as the basis for the goals of the pen tests. That is, prioritizing risks in this way helps the user focus security efforts on the areas where they can provide the greatest benefit.

Tip: The pen tests should always be based on the worst possible scenario for the company. It sure is easy to uncover minor potential issues, but can be a major distraction when it comes to the threats that are inherently dangerous.

Wrong tools in use

There are a variety of pen testing tools out there, but it takes significant expertise to know which tools to use where, and how to configure them properly. Anyone who thinks they can buy pen testing tools off the shelf and have in-house IT run them may be in for a rude awakening. Without experienced experts in-house, it is a good idea to hire a third party with real expertise.

While pen testers can be expensive, they’ll likely only be needed for a short period of time, making automation tools worthwhile. An automated pen testing platform can be a good way to validate protections and get some ongoing protection. However, these should be chosen carefully. Pen test partners offer advice on this.

Ambiguous evaluations

The external pen testers must then produce understandable reports so that the discovered vulnerabilities and their potential impact on the company can be properly classified. This requires easy-to-digest information that explains well what a security issue is, what the consequences may be if it is not fixed, and how exactly the fix should be done.

Without clear objectives, the report cannot provide a clear direction for the company, as it could then be difficult to identify the really critical attack vectors that threaten strategic assets. Therefore, neglect third-party or automated tools that simply point out thousands of vulnerabilities without providing any direction. Good reports filter out the noise and false positives and highlight what’s important to the business.

Beware of checklists!

If third-party providers deal almost exclusively with checklists during pen testing, the user runs the risk of overlooking something. While compliance is important and right, it is not the only reason pen testing should be done. When the focus is on checking off items, the user gets a false sense of security. Not least because cybercriminals do not work according to checklists.

Business Interruption

Pen testing must be properly planned to account for the potential impact on critical business systems. Successful hackers often exploit vulnerabilities without disrupting operations, and so should hired pen testers. For third-party providers, it must therefore be clear in advance that the tests will take place in a production environment. In a black box scenario where the pen tester does not have an overview of the infrastructure, the risk of an interruption is of course much greater.

As of 10/30/2020

It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. You can find detailed information in our data protection declaration.

Consent to the use of data for advertising purposes

I agree that Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, including all companies affiliated with it within the meaning of Sections 15 et seq. AktG (hereinafter: Vogel Communications Group) my E e-mail address for sending editorial newsletters. Lists of the respective associated companies can be accessed here.

The content of the newsletter extends to the products and services of all the companies mentioned above, including, for example, trade journals and specialist books, events and trade fairs as well as event-related products and services, print and digital media offers and services such as other (editorial) newsletters, competitions, lead campaigns, Market research in the online and offline area, subject-specific web portals and e-learning offers. If my personal telephone number was also collected, it may be used for submitting offers for the aforementioned products and services from the aforementioned companies and for market research.

If I call up protected content on the Vogel Communications Group portals, including its affiliated companies within the meaning of §§ 15 ff. AktG, I have to register with additional data for access to this content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here.

READ:  What Is a Keylogger?

right of revocation

I am aware that I can revoke this consent at any time for the future. My revocation does not affect the legality of the processing carried out on the basis of my consent up to the time of revocation. In order to declare my revocation, I can use the contact form available at as one option. If I no longer wish to receive individual newsletters to which I have subscribed, I can also click on the unsubscribe link at the end of a newsletter. I can find more information about my right of withdrawal and how to exercise it, as well as the consequences of my withdrawal, in the data protection declaration, section Editorial newsletters.

Avoid outdated technology

Any pen test plan that doesn’t evolve is essentially worthless. New techniques, new tools and new vulnerabilities are constantly being developed. A good pen testing partner will incorporate the latest hacking techniques into their strategy.

Irregular pen tests

Annual pen tests, while common, offer little certainty. That is, infrequent testing provides only a snapshot of protection at the time the test is performed. It is better to continually review and retest defenses to ensure vulnerabilities have been properly addressed. This is another argument for automated and proper pen testing platforms.

Management omissions

Ensure that someone is responsible for responding to pen test results and automated tools. This staff must prioritize the problems found and resolve them in a timely manner. Because costly data thefts are often the result of known vulnerabilities that companies have not fixed. Tests that ensure identified vulnerabilities have been properly addressed should be part of ongoing pen testing. Inadequately planned and executed pen tests, on the other hand, sometimes harbor high risks for companies.