Penetration Test Pitfalls to Avoid

By Fortra's Digital Defense

While pen testing has been around since the 1960s, not all organizations have yet perfected the art of conducting them. In fact, not all companies are taking advantage of them, but that’s a conversation for another time.

Below are a few common pitfalls that even experienced security teams fall victim to from time to time.

Wrong Frequency

Penetration tests evaluate your security posture at the moment of the test. Once it is completed, it is only a matter of time before your systems and the environment surrounding them change in some way. That means, you are never really “done” pen testing. While some IT governance and compliance mandates require an annual penetration test frequency, there are certain events that could be considered triggers that warrant additional tests. These include:

  • When large security patches are applied
  • When new infrastructure is installed
  • When you add additional physical locations or relocate your network

You can decide which pen test frequency is right for your organization based on the dynamics of your business environment.

Not Your Type

The wrong type of pen test will fail to address the controls your business deems most important. To understand which type of pen test suits your needs best, you need to determine how your business prioritizes risk associated with the following areas:

  • Infrastructure
  • Web Applications
  • People

Depending on your answer, you may need a network penetration test, a web application penetration test, a social engineering test or all of the above. Be sure to meet with key stakeholders in your organization to understand and prioritize your areas of concern appropriately. It is also important to take common attack vectors into account and prioritize risk and potential damage.

Disastrous DIY

Pen testing requires finely tuned ethical hacking expertise. Most organizations do not possess this in-house. Done incorrectly, pen tests can create more problems instead of just identifying those that exist. It’s best to identify a trusted vendor that can help you configure and conduct regular tests simply and painlessly. Be sure the vendor you choose specializes in pen testing and ensures its pen testers stay educated on the latest hacking techniques.

Noisy Reporting

The point of pen testing it to ultimately emerge better informed than you were when you began. Unfortunately, many penetration testers provide clients lengthy reports of indigestible vulnerability data without any context, organization, or prioritization. This creates confusion, swirl, and more work for teams that are typically already over tasked. It’s important that your vendor’s pen test reports can distinguish high-risk, critical vulnerabilities from others that may not be easily exploitable. IT security team resources are best spent on the more pressing issues than on noise and distractions.

Tunnel Vision

Many organizations conduct penetrations tests for the sole purpose of compliance. This type of tunnel vision can result in overly limited tests that fail to uncover potential vulnerabilities. Cybercriminals know and understand compliance requirements. Therefore, they won’t hesitate to try to infiltrate areas that might be ignored by limited tests. It’s best to concentrate on assessing and prioritizing areas of risk for your business and letting the results of that exercise be the guidance for your testing.

Failure to Finish

Surprisingly, many organizations fail to complete the penetration test exercise. They run the test, receive the report, but don’t organize and complete the remediation. The test is then rendered meaningless and a total waste of time and money. Prior to the pen test, be sure all affected teams are informed and aligned on how remediation will be organized and completed. It’s equally important that these remediation plans have deadlines, as the longer an issue lingers, the more likely it is to be exploited.

At Digital Defense, our team of ethical hacking experts is ready to put your systems under constructive attack. Their goal -- identify your exploitable vulnerabilities before someone else does. Learn more.
Pen-Test-Guide-Thumnail 7.30.20

Penetration Testing: What You Need to Know Now

Penetration Testing has been around for years, but many organizations are missing the mark when it comes to utilizing this security powerhouse.

About Digital Defense

Our Frontline.Cloud SaaS platform supports Frontline Vulnerability Manager™Frontline Web Application Scanning™, and Frontline Active Threat Sweep™ that together provide:

  • Asset discovery and tracking
  • OS and web application risk assessment
  • Targeted malware threat assessment
  • Machine learning features that leverage threat intelligence
  • Agentless & agent-based scanning
  • Penetration testing for networks, mobile applications, and web applications
  • Compliance management. One of the world’s longest tenured PCI-Approved Scanning Vendors

The Frontline.Cloud platform virtually eliminates false-positives associated with legacy vulnerability management solutions, while also automating the tracking of dynamic and transient assets and prioritizing results based on business criticality. Learn more.

Share This