By Oksana Vassilieva, Senior Manager, Cyber Security Testing Practice

How to get the most value from penetration testing

Jump to:

Penetration testing (or pentesting) should be a regular part of any organization’s cybersecurity routine, with most experts recommending it be done at least once per year. It’s one of the easiest things you can do to identify and address gaps in your security posture that could be exploited by a malicious threat actor.

While your penetration testing vendor will handle most of the work, there are a few things you should do before, during and after the pentest to ensure it goes as smoothly as possible – and to get maximum value from its findings.

What is penetration testing?

The aim of penetration testing is to find weaknesses in your network defences before an actual attacker can. Authorized testers do this by emulating the tactics, techniques and processes used by bad actors to gain access to systems and other assets.

There are three types of pentests, which vary in the amount of information and degree of access provided to the evaluator:

  • Black box pentest: The tester has no information about your network. This supports a more authentic emulation of a true attack, where the bad actor would likely lack insider knowledge of your systems.
  • Grey box pentest: The tester has some information about your network, and low-level credentials for access. This approach offers a deeper exploration of potential weak points or vulnerabilities, and can simulate a more targeted real-world attack.
  • White box pentest: The tester has detailed information about your network as well as full access. This enables a more comprehensive assessment of both internal and external vulnerabilities.

The Penetration Testing Execution Standard (PTES) identifies seven steps, from pre-engagement interactions and intelligence gathering to post-exploitation analysis and reporting. Taking certain actions throughout this process can help maximize the value of a penetration test to your cybersecurity efforts.

What to do before penetration testing

The pre-engagement stage sets the foundation for the whole process by establishing the testing parameters. For best results:

  • Understand what needs protecting (e.g., critical systems, sensitive data) as well as any business or operational risks and threats facing your organization. This will help the vendor define the testing scope, goals and approach.
  • Ensure the vendor understands all the regulatory requirements for data privacy and security that apply to your industry and jurisdiction.
  • Identify a testing schedule that would minimize disruption to your normal operations, accounting for peak usage times and other relevant factors.
  • Dedicate all necessary resources (systems, networks, personnel) to help the test run smoothly and avoid delays.
  • Brief key internal teams on the testing, including IT, security and management.
  • Draft and sign any necessary legal agreements, for example, non-disclosure agreements (NDAs) and rules of engagement (ROE).

The depth of the intelligence gathering phase will differ depending on the type of penetration test: Black, Grey or White. In general, you can facilitate by taking the following steps:

  • Share any relevant information about the targeted scope, such as your networks, systems, applications, technology stack and user accounts (e.g., network diagrams, details on software and hardware in use, a list of user accounts and their permissions).
  • Disclose previously known vulnerabilities so the evaluator can avoid redundant testing.
  • Identify systems and data to be avoided during the testing – especially important if you’re in a strictly regulated industry like finance or healthcare.

What to do during penetration testing

During the threat modelling phase, the vendor defines the potential risks and vulnerabilities in your system and how an attacker might take advantage of these to compromise your security, access restricted or sensitive data, or impact your organization. You can facilitate this stage by ensuring members of your team are available to answer questions or provide further documentation to clarify your system’s architecture or potential threat scenarios.

What to do after penetration testing

After the penetration test concludes, the vendor will provide a report outlining their findings and recommendations. Take the time to thoroughly walk through the report’s findings with the vendor. Ask questions to ensure you fully understand any vulnerabilities or risks identified and solutions proposed.

Then plan out remediation actions with your IT and security teams. Prioritize those you can handle internally. For more complex issues, reach out to the vendor or another expert for support. It’s critical to evaluate the effectiveness of any remediation activities, so also plan to retest identified vulnerabilities that you’ve taken steps to resolve.

Explore penetration testing services and more from Bell

As shown, the point of a penetration test is to identify potential vulnerabilities that a malicious user can exploit. Let’s work together to stop threat actors. Contact us to set up your pentest today.

Learn more about our professional cybersecurity services.

Related solution

Solutions
Security
Professional services

Bell professional cybersecurity services complement your internal security team. Our certified security specialists will work with you to design and develop your security strategy, then deploy the right solutions to keep your critical assets and data safe.

Learn more from a Bell representative

Request a call back