In our blog outlining what is a penetration test, we mentioned that it is a process of authorised hacking into your system to identify cybersecurity vulnerabilities. However, even if a hacker has your permission to break into your organization’s systems as part of a penetration test for your own benefit, it is a risky proposition as there are a number of things that can go wrong if the hacker conducting the penetration test isn’t properly accredited by a body like CREST.
Below is a list of top five risks of getting a penetration test done by the wrong person and how best to combat them:
System outages
During a penetration test, the tester will exploit vulnerabilities in your organization's network and systems by breaking through security controls. During these organized attacks, the penetration tester might break into something important by accident, which may lead to a system outage. These system outages may be caused for a number of reasons, here are two of the most common reasons why it may occur during a penetration test:
Rashness - this may not be on purpose but due to inexperience or inattentiveness. On one hand an experienced tester is familiar with the systems they are testing and the tools they are using, on the other hand an inexperienced tester may misuse their tools which could lead to system outages.
Unexpected circumstances - occasionally system outages may occur regardless of the expertise of the tester, this may be due to unforeseen events such as an application having software flaws or misconfiguration of a network device.
Complacency during a penetration test
Your organization may fail to identify an actual attack during the period of a penetration test due to complacency. There is a risk of your organization failing to recognise indications of an actual cyber attack during a penetration test, if they were to write off security alerts as part of the test. One way to mitigate this risk is for your security officer to stay in constant contact with the tester and be aware of all the IP addresses used by him/her via a whitelist.
Decrease in productivity
Other than possible system outages, penetration tests can lead to a decrease in productivity for employees. For example; certain types of attacks like a man in the middle may prevent certain employees from accessing the internet, or if everyone isn’t aware of the penetration test happening it may lead to unnecessary time wasted on troubleshooting. Of course some loss in productivity can be expected during a penetration test , but there are actions your organization can take to lessen the amount of productivity lost. One such way is to make sure employees are informed if they are to be impacted by the ongoing penetration test, also make sure to keep communication lines open with penetration testers, this will help limit the amount of productivity lost during a test.
False negatives
False negatives are vulnerabilities that are not found by penetration testers. There is a risk that even after a penetration test certain vulnerabilities may not be identified. This is why it is important to make sure that your organization’s defences against cyber attacks don’t stop at just a penetration test, regular patching is required and making sure all your security efforts are best practice is the responsibility of your organization. It is also good to get multiple perspectives on repeat penetration tests, enlist the help of different vendors for consecutive penetration tests and avoid sticking to the same tester.
Unethical hackers
There is a risk that the penetration tester your organization hires, has unethical motives towards your valuable systems and data. They may be activists who believe that their cause is ethical or they may simply be doing it for a large sum of money. Therefore it is always important to hire a penetration tester from a company that is properly accredited. Your organization also has the right to request information on the tester assigned to carry out the hack, this information can also include background checks.
Looking to identify the vulnerabilities in your cybersecurity setup? StickmanCyber's penetration testing services brings in CREST ANZ registered testers to comb through your systems, identify possible gaps, and prepare a comprehensive list of action items to mitigate risks.
Ready to proactively take charge of your cybersecurity. Book a penetration test today!