Top 8 Penetration Testing Fails

Although challenging, Penetration testing is definitely the coolest job ever in the cyberspace! When you as a Pen Tester and as a legal assassin is entrusted with such a Nifty job it is quite important that you do proper justice to this job and exceed your clients’ requirements.

Based on my experience so far, here are top eight Pitfalls that every Pen tester or ethical hacker should take note of:

1. Blurry scope of the Test: Sometime the clients don’t know what they want and that can easily lead to hazy expectations. There have been many times where I have seen the clients don’t know the basic difference between VA and PT. Failing to have clear well-defined scope of testing can lead to confusion and eventually to missed vulnerabilities and an incomplete assessment of the system’s security.

2. Not keeping up with industry best practices: The cybercrimes are evolving, and penetration testing techniques needs to evolve according. Failing to stay up to date with industry best practices can lead to missed vulnerabilities and ineffective testing. OWASP, OSSTM, NIST, PTES, and ISSAF are some solid methodologies to consider to stay in the game. A word of caution here, although your approach needs to be robust, but it needs to be flexible as well, flexible enough to adapt to the requirements of the client.

3. Total Dependence on Automated Tests: Automated tools can be useful, but they should not be the only method used for testing. Depending on the environment, in some cases the only thing that the tools might provide is Garbage. Manual testing is not important but VERY important. A skillful Pen Test can identify vulnerabilities that may not be detected by automated tools e.g., process breakdown, information leakage, program crashes, system failures etc. Although Security Tools have evolved immensely but still the human aspect is a miss.

4. Weak PT Reports: Reports help organization to make well informed decisions. I have many a times seen how easily and quickly a Pen tester’s poor reporting skills overshadows the brilliance of his pentest skills. The report should be drafted with two audience in mind: Technical reader and the non-technical reader and connect to both of them. The report should have a section which elaborates on findings with evidence and using facts, charts, and graphs to support its intend.

5. Poor Mitigation ActionsA best Pen testing effort can soon become hopeless, if there is no proper mitigation plan to fix the findings. The worst part is that your system or application is at a risk of being exploited that too from already known vulnerability. Failing to follow a mitigation plan can undermine the effectiveness of the penetration test.

6. Not mimic real Attacker: Pen testers should strive to think like an attacker in order to identify and exploit vulnerabilities.  In order to beat them you need to think like them. In my opinion all Pen testers should definitely give MITRE Att&ck a good read. Att&ck does provide good scenarios that can help Pen testers to think like attacker and how they execute a Cyber-kill chain.

7. Not testing thoroughly: Sometime the most ignored system ends up being the doorway to  your kingdom. Don’t just focus on the most obvious targets. Make sure you test all relevant systems and applications, including those that may not be publicly accessible.

8. No remediation Testing: Reporting is not the last stage of Pen test -Remediation test is. But many times, I have seen clients ignoring this all together. Remediation testing requires one more iteration to verify that the vulnerabilities have been fixed and systems now are safe. Failing to do remediation testing in time, can undermine the effectiveness of the original penetration test, as the system may still be vulnerable even if PT exercise was initially deemed success.

Pen test should be done on periodic basis. This ensure that your systems and applications remain up to date and that any newly introduced vulnerabilities are identified timely.

In general, it is a good idea to conduct penetration testing at least once a year, and more frequently if your organization handles sensitive data or experiences rapid changes in its systems or networks.

It is better that you find your vulnerabilities before the hacker does.

Danish Durrani

Principal Consultant

GreyDetect Corp