1. Plan ahead. You’ve probably heard that you’re more likely to make it to the gym if you pencil in your workouts ahead of time. Well, you’re also more likely to meet your security goals if you plan out the necessary maintenance at the beginning of the year. If you haven’t already, now is a great time to map out your 2015 pen testing calendar and budget. The specifics will be different for each organization, but if you’re looking for a rough guide, I generally recommend once per quarter (and internal network testing at least once per year). If that feels like a lot, remember that attackers are testing your network every day.
2. Don’t neglect physical security. In almost every public facility (banks, hospitals, etc.) you’ll find unprotected network jacks. Given the amount of time and resources these organizations spend securing their wireless networks, it’s surprising how many of them ignore these physical points of entry. In addition to taking a good look around your physical workspace, consider potential events and company procedures that could put information at risk. What if a fire alarm went off, or the building had to be evacuated for another reason. How does the reentry process work? Would it be easy for an intruder to sneak in? It’s okay to get a little paranoid here – better safe than sorry.
3. Review relevant company policies and your security incident response plan. Are you a badass hacker who’s ready to go rogue? Well, chill out. This is not an adventure you should embark on without ensuring you have all necessary permissions. There’s always a chance that a test will take a system down, and if that happens, you’ll want to feel confident you were acting within your company’s guidelines and prepared to carry out your up-to-date security incident response plan.
4. Think in terms of business risk. You can't conduct penetration tests across your entire IT infrastructure – that could require testing thousands of devices. Step back and ask, "What am I trying to protect? What are my critical assets?" In addition to sensitive information like credit card numbers and healthcare details, this includes any programs or resources your company needs in order to function. What if email became unavailable? How would that impact the business?
5. Get the easy stuff done before bringing in any outside folks. If you’re paying a contractor to carry out a vulnerability scan on your website, you’re throwing money out the window. And if that’s not something your team knows how to do, you’ve got a problem that a consultant can’t fix.
6. Choose the right tool. The tool you choose should handle complex environments, but shouldn’t be too complex to use. If you’re new to pen testing, choose a tool with an instructive wizard that can guide you through the process without compromising capability. Of course there are lots of really capable, powerful tools out there, but some are easier to use than others.
7. Prioritize remediation. After you’ve performed internal and external pen tests, you could end up with hundreds of confirmed vulnerabilities to fix. Where to start? Generally, a compromise occurs when multiple vulnerabilities are "connected" across different vectors (network, web, etc.), creating a path that leads an attacker to your critical assets. We call this an attack path. You'll want to start remediation efforts with vulnerabilities along these paths.