What should you do after your penetration testing report?

Jan 13th 2021

We believe that continuous communication with our clients prior to, during, and, after a penetration testing engagement is vital to ensure that you get the best service from us. In this blog post we would like to discuss the events that should take place once you receive your penetration testing report so you can gain the most value from our services.

Cleaning up your environment

At the end of an engagement, any accounts that have been created for the purposes of the assessment should be deactivated and removed. Additionally, firewall rules and any other network or system changes should be reverted to their original state. At the end of an engagement, our consultants will communicate which accounts or environment changes we have requested.

In cases where test data is provided, for example a populated table within a database to support web application testing, it is important to ensure that test data is removed before the application leaves the development stage and enters a production environment. 

Our consultants are trained to perform a thorough clean-up of environments that have been assessed, such as removing any files or software we use during the penetration test. In instances where files have been written to systems through applications, clients will be consulted with immediately to a) verify the files exist on the device and confirm the vulnerability, and b) make sure the client is aware that we have performed this action and that further investigation should take place to establish whether this vulnerability may have been exploited maliciously.

Clients are encouraged to inform us if they have found any unwanted or suspicious files on devices and have concerns that these files may not have been generated during the penetration test.

Monitoring activity / Reviewing Logs

A vital part of a security assessment, particularly infrastructure and web applications assessments, is monitoring activity and reviewing system or application logs once the assessment has been completed. This will provide an insight into how effectively any security solutions are performing, and what to look out for if you suspect suspicious activity or compromise. Additionally, clients that actively monitor our activity during an engagement gain the opportunity to assess how effective IDS/IPS solutions are at detecting and preventing malicious activity in real-time.

Device and application logs can contain an overwhelming volume of information, however we recommend that they should be reviewed frequently to identify any attacks that may have bypassed any security solutions, allowing you to improve your security posture by creating new or modifying existing rules and configurations to prevent attacks in the future.

By reviewing activities performed by us during an assessment, you can increase your awareness of advanced techniques and potentially identify previously unknown breaches. 

Comparing the testing IP addresses and domains used by our consultants will allow you to quickly identify the log entries created by our activity and those that are not. This comparison may indicate whether you are actively being targeted, or if users are visiting malicious websites, some of which may be used by us within controlled phishing assessments.

An example of activity that may go unnoticed is brute forcing WordPress accounts. This sounds like activity that would typically be picked up, or even mitigated by WordPress security features. However, WordPress offers extended API functionality through the XML-RPC which can be used by malicious actors to brute force accounts and is most likely going undetected.

Many large organisations operate a Security Operations Centre (SOC), either internally or as service provided by an external partner. The purpose of the SOC is to monitor and analyse activity to detect malicious patterns and ensure that business can react to incidents quickly. A security assessment can identify if the SOC is operating effectively, and if any activity is missed, provide the required data to improve the effectiveness of the SOC. 

Remediation Plan

Once a security assessment is complete, clients will receive a detailed report of any findings which will be categorised by a severity rating. A remediation plan should be created to implement fixes for any vulnerabilities we may have discovered, where priority should be given to issues of a higher severity. However, this does not mean that less severe issues should be ignored. Deadlines for remediation of issues may be considered to ensure that all issues are dealt with in a timely manner.

Considerations

Security assessments can reveal issues that may have a significant impact on business operations when implementing controls to remediate them. It is important to consider the environment in which these controls are to be implemented, and to establish whether these controls may have any impact that should be addressed before a change can be made.

For example, during a web application assessment we may discover that the web service is provided by an old or vulnerable version of Internet Information Services (IIS). The likely recommendation would be to upgrade to the latest stable version of the affected software, however this may have unintended conflicts with other software packages that causes stability or performance issues. It is important to consider whether recommendations are appropriate in the context of your environment, and to fully test any changes before they are deployed.

Quick Fixes

Some issues in the penetration testing report can be remediated either partially or in full by implementing small changes that do not require significant effort or cost to address. For example, if we discovered a Cross-Site Scripting vulnerability within a web application, Web Application Firewall (WAF) rules may be implemented that block requests based on their content or origin while a more robust fix is implemented in the application code. Careful consideration should be taken if this is the route you intend to take, as filters may be bypassed if not implemented correctly.

Issues such as outdated or vulnerable operating system versions may be mitigated by restricting network access to the system, which will greatly reduce its attack surface whilst efforts are made to upgrade systems.

Sentrium will provide recommendations for quick fixes (where appropriate), to support remediation activities that are sometimes complex and requirement significant effort. We understand that technical security recommendations can often lack the deep contextual understanding of our client’s environments, and it is our responsibility to help navigate these challenges to the best of our ability.

Continuous Improvement

The threat landscape is ever evolving as malicious actors employ new and advanced techniques to exploit vulnerabilities in common systems and environments. Therefore, organisations must evolve with them and stay ahead to maintain a strong security posture.

Policies should be implemented setting out requirements, processes, and timescales for patch management. It is important to consider all systems within your organisation. We frequently see these examples of systems that are not effectively patched;

  • Network devices, such as switches and routers 
  • Infrastructure management systems, such as network connected back-up solutions, storage controllers and remote server management controllers (HP iLO / DELL iDRAC)
  • Web application libraries and service software 
  • Third-party software packages on End User Devices (EUDs) and servers 

Recommendations towards security best practice for your specific environment will be made for each issue identified. This knowledge should be used to ensure that any future projects are built with security in mind and security best practices are adhered to. Where penetration tests frequently highlight similar issues across different environments, it may be appropriate to consider an underlying cause, such as reliance on a software version or a lack of appropriate training for IT staff who are unfamiliar with a certain technology.

Finally, we advise our clients to perform retesting once issues have been resolved. This process shall confirm whether the remediation of identified vulnerabilities in the penetration testing report has been effective, or whether further work is required to fully resolve the issue. We often suggest regular (bi-annual or annual) testing of critical or frequently changing environments, as this will detect issues that arise because of new vulnerabilities or changes.

If you have any concerns about your IT security and would like to talk to us, get in touch today.

How to protect against a phishing attack

How to secure data in cloud computing

What are the security risks of cloud computing?

How to maintain security when employees work remo...

How to identify and avoid phishing attacks

What is penetration testing and why is it important?