S3 E28: Common Penetration Testing Mistakes

Audio version

Common Penetration Testing Mistakes

Transcript

Jordan Eisner  
All right, welcome back. Another episode of Compliance Pointers, this time with Matt Lawson, who’s a repeat guest. Although Matt is first time on camera, you chose your wardrobe very nicely. That’s a great-looking shirt.

Matt Lawson  
I love it. It’s one of my favorites.

Jordan Eisner  
Yeah, it’s good. Somehow I wound up with two, so I can wear it twice as often.

Matt Lawson  
Huh. I need to, uh, I need to talk to who gave you those so I  can get one too.

Jordan Eisner  
Yeah, I’m sure somebody said, hey, do we have any extras lying around? It’s good. It’s a comfortable shirt. So for our for our watchers and listeners, Matt is our manager, senior manager over our pen testing group and has a long career in pen testing and information security. He’s worked managing teams, I’d say close to a decade, right? But before that I know you had experience public sector, private sector, fintech in the Navy for a long time, not all pen testing and you know, cyber, but still IT/IS adjacent.

Matt Lawson  
Yes, that’s correct. Lot of different things, so.

Jordan Eisner  
Yes. So we’re gonna, we’re gonna have you talking way more than me on this podcast, ’cause you’ve done thousands of, you know, pen tests and I’ve done 0.
But it’s OK. I’ll ask questions like somebody that’s done zero and will create a good podcast, hopefully, right. That’s the idea for people that don’t know what they’re doing, to ask questions of people that know exactly what they’re doing. And that’s you. So thanks for taking the time and coming on.
We, as you’ve probably guessed, if you’re listening or watching, we’re going to be talking about pen testing, common mistakes organizations make that can impact really the efficiency and the effectiveness of that testing, so.
This could be them doing it themselves internally. It could be leveraging third parties. Some of the questions are pretty basic and I think it’s a good starter. And depending on where this goes, maybe we get a little layer deeper in a follow-up podcast, Matt, but we’ll try and keep it short and sweet for the audience today, so.
Let’s start at the very beginning. What are some of the mistakes that you see organizations make with pen testing and maybe maybe like with their scope. That’s a common one that you know, I see you’re probably going to mention that one, but what are some common mistakes you see organizations make and?
Where you can add some color on where they make it particular to the scope of the pen test.

Matt Lawson  
Sure, sure. Actually, I made a great point. I was going to touch on that definitely. You know, one of the most common issues that people make, especially businesses when they’re coming in and they decide that they need to have a pen test is.
Not defining that scope enough, or at least not putting the breadth of everything that they have into scope. You know, an example of that might be you might have a business who just focuses on the external side of things.
It’s, you know, at least a a great step for that. They’re looking, you know, outside in, but IT doesn’t necessarily touch on the inside, which, you know, can be a common way of threat actors actually, once they get a foothold on that internal side of things, you know.
Where they go from there, right? That’s where all of the crown jewels are is inside. But if you’re only protecting the gate that comes inside, you’re not necessarily taking all of the best steps that you could. So we have other folks that just focus on the network side of things, but there’s a large component to.
Their, you know, application side that they just don’t include as well. So that’s that’s one of the most common things that people do. They tend to just not throw everything in there and you know that may be for various reasons or you know some of the more common ones reasons that they.
They may do that is because they don’t know. They don’t. They don’t have an idea of what they should be including in the pen test because they may not have experience doing so.

Jordan Eisner  
OK, well, let’s move right along then. OK, yeah, that makes sense, Matt. Understanding, right? Not defining the scope enough.
What about? What about tools? What are some mistakes you see from a pen testing tool standpoint?

Matt Lawson  
Sure. So there’s two types of mistakes here. One is, you know, a misunderstanding of what a penetration test is and how that’s, you know, different from, let’s say, like a vulnerability scan.
And then the other side of IT is the type of penetration testing, you know, boutique shop or you know, compliance firm that you go with, you know, as a customer. And the main thing there kind of revolves around the use of maybe automated tooling.
Which, you know, it’s great, at least initially from an enumeration or discovery perspective. But you know, IT does tend to miss quite a bit of what is actually out there that a threat actor can do. And again, that’s.
That falls back to automated tooling, which is really it’s the same problem with both of those scenarios that I presented. You might have automated tooling used too much, which again is great, but IT doesn’t really give you what a penetration test.
Should be, which is somebody behind the keyboard with expertise, certified knowledge, and the ability to manually go through and validate anything that’s found, along with, you know, doing some things that might not be available within a vulnerability database.

Jordan Eisner  
Right.
Yeah, no, it makes a lot of sense to me. Of course, we do 100% manual pen testing, so I’m biased, right?

Matt Lawson  
Yes, yeah, I’m a I’m a big proponent of doing things a long way. May not necessarily be the work smarter, not harder way, but it’s definitely gives you a good detailed focus as a pen tester.

Jordan Eisner  
Yeah.
Why?

Matt Lawson  
Of being able to chase down what we like to term as the rabbit hole.

Jordan Eisner  
OK.
What about the testing environment?

Matt Lawson  
The biggest mistake that I see, at least from a testing environment perspective, is always, and I’ll use an example, if somebody was to isolate the tester from the rest of their environment, basically setting IT up in like a nonstandard.
An example for that would be, let’s say you’re on an internal network test for an organization and that all of their users and the rest of the targets exist in a completely separate network, but they put the pen tester’s initial starting point, their attack platform.
Form in a completely isolated network and justice allow connectivity through, let’s say, a firewall. This eliminates a lot of attack surface that could be discovered by, let’s say a threat actor gets into the organization because.
The threat actor is not going to be put in an isolated environment. They’re typically going to take the path of breaching a user and then breaching that user’s system, which that user’s system is going to be placed around all of the other users and the targets that are available.
You know, adjacent to them.

Jordan Eisner  
Right.
Yep, OK, it’s a good one. Some good quick hitters here you got. Speaking of, you know, threat actors and trying to simulate that, what are some commonly overlooked, you know, ethical attack methods, you know, ethical.
Hacking methods when you’re when you’re simulating it, you’re trying to, you know, mock the bad guys.
What are some areas that the bad guys use quite frequently or more times than not that for whatever reason, testing and and mock testing doesn’t doesn’t take into the equation the same amount?

Matt Lawson  
Sure, yeah. I think one of the most common ones is the social engineering aspect. You know, even getting a phishing engagement set up and performed by a penetration tester is leaps and bounds better to mimic what an actual threat actor can actually do.
Then either not doing IT or relying upon, you know, mostly the automated solutions. We hear a lot of clients that will come in and say, well, I used no before or you know something similar.
To some kind of compliance training and they do a great job, at least in terms of training people to efficiently see what a phishing e-mail looks like. But.

Matt Lawson  
It’s not necessarily going to end up being a real-world scenario. Not every threat actor is sending a phishing e-mail that has misspellings. Not every threat actor is sending such an obvious spoofed e-mail address.
Along with their, you know, their payload, it’s very, very important to get something custom going because you’re really going to get human ingenuity included in that that machines just can’t do. The automated templates just can’t mimic then at that point.

Jordan Eisner  
Yeah, yeah. I guess it’s always the cost benefit analysis right now. I’ve always been told or see statistics that, you know, phishing or, you know, internal employees.
Clicking on stuff is it’s a big cause or you know, high percent of incidents that occur. So you would imagine being you would imagine that getting more specialized and more sophisticated in how you simulate that would be worth it.
To decrease it. But I I agree with you. You know, I see the phishing and I take the test and then I don’t know that I’ve ever actually had somebody try to simulate a social engineering against me. That would be interesting to see on our employees and you know how that would unfold and if it will cause more harm than good, you know, in some instances.

Matt Lawson  
Sure.
Well, you know, one of the things I always try to make everybody understand too, there’s everybody thinks there’s a big difference between small, small to medium businesses and the giant enterprises. And that’s because, you know, there’s there’s a lot more that can be put into the security.
You know, from a financial perspective, in between those different types of businesses. But the one thing that they always have in common is people, and people are the most vulnerable resource or asset of a business. It’s the easiest way in for a threat actor, so it’s very smart to actually do that testing on them outside of the standard, you know, training that is involved, you know, in the annual process.

Jordan Eisner  
Right. OK. Yeah, it all makes sense. All right, looking, looking towards the end here. What about after the tests? Any common mistakes you see there? And hopefully I’m not, you know, taking your answers away from you and it’s not, you know, people not doing anything with the.
Results, but maybe that’s a big part.

Matt Lawson  
You know that that could be a huge part of it, but you know, honestly, even during the remediation process, because you know an actual pen tester is going to be there after you’re done pen testing to provide some guidance on remediation.
But when there’s not enough documentation on that that customer’s side to be able to provide evidence and ensure that this is truly remediated, that’s one of the biggest pieces. You know, people could say, hey, yes, I’ve remediated this and we did.
This, but then you know if they didn’t provide that next step of documentation, here you go, here’s the evidence and then allow us to go back and validate that that can be a big issue. Drag along the remediation process quite a bit and the other side of IT is customers coming back 60, 90, 120 days after they’ve had their penetration test done and you know, wanting us to validate those remediation efforts that they performed, but.
You know, within that long time period, it’s definitely difficult for us to say that the environment has not changed since we performed that penetration test. So definitely two of the biggest issues that I see, at least across the board.

Jordan Eisner  
Understood.
I don’t know. I think that about does it for today. Those, those are some good high-level ones, some common mistakes that you’re seeing. I think any organization getting down the route or any individual, right, getting down the route of signing on to a pen test for the first time or designing to conduct one internally, you know these are.
May be obvious, but in in your opinion, and you’ve been doing this a long time, commonly overlooked. So it would be a good refresh for somebody or first at least introduction into, you know, mistakes to avoid. So in.
I will remind everybody listening to and watching that compliance point performance pen test, right. So we do have a cybersecurity arm as part of our practice. We help organizations with their vulnerability management programs with penetration testing, whether it be network application and that’s mobile or.
For, you know, web applications, so many different layers, many different degrees, many different complexities. And we would welcome any conversations people have around these services and the value and the benefits and and what’s all involved. And of course if you’re listening to this podcast, you know that.
We touch on cyber, we touch on data privacy, we touch on data security and a whole host of things. So I would encourage you to subscribe, leave feedback, leave a review and then continue to tune in. Matt, thank you for your time today.

Matt Lawson  
Really appreciate you guys for having me. Thanks.