Introduction
This article is intended to the PenTest Vendor as well as the PenTest receiver. The idea is to provide the reader with tips to follow in order to make sure that while you are conducting the pentest you do not harm the systems or their availability. These tips refer mostly to infrastructure or Web Application testing and not to protocol, application or other types of security tests.
Things to Remember
Lower Performance
PenTest Provider – Do not conduct any tests which might cause degraded performances without specifically requiring the receiver of the work prior and setting up a narrow time frame for the attack. Bear in mind that automatic scanners such as Acunetix will fill out forms and bombard the system, ARP poisoning will disconnect users from the domain without saving data, exploits might cause BSODs and other unexpected error and malfunctions. Be very aware to the tests you are conducting and properly reflect the implications of that attack when requiring the confirmation.
PenTest Reciever – While you are testing a web application or an infrastructure you should expect degraded performance at least. Even if your pentester will not preform stress-testing, most attacks might cause lower performance to some degree. Make sure to supply your PenTester with a threshold of performance degradation that you are willing to accept.
Your Data is NOT Safe
PenTest Provider – Be discreet and delicate. Remember that you are entering the company’s back yard and then moving on to the bedroom. Anything that you find during the test is considered confidential and should be disclosed only to the contact person in the organization. Do not disclose the information further own to team members who are working with you in the company but were not on the same project.
PenTest Reciever – Most tests and attacks needs to be implemented to be checked. An obvious example is an SQL Injection. You can craft a payload according to your need but in order to find if a field is injectable you must inject something. This means that most attacks will have to be implemented so that they can be checked. Make sure that your DRP and backup systems are prime prior to the test.
Double-Check Everything
PenTest Provider – Double check everything. After the meeting which you listed what is the spectrum, what are the senstivie items not to be tested, which information you need to gather and all other information, send the meeting’s details to the customer. Ask them to verify every point and don’t leave anything hanging or on a ‘maybe’.
Double check your tools and exploits. If you are like me, you have many tools, some you have written, some your friends and some are just open source tools which you have downloaded. Make sure you know each of them by the code and not just by syntax. You need to understand how each and every tool works not just for the efficiency of the test, but also to know if a certain tool might cause discrepancies, crashes, performance downgrade, disconnections or any other impact in various conditions. You are a technical person. Your job is to be an expert. Be one.
PenTest Reciever – Double-Check your pentester. Do a little background check. Try to understand how many tests and experience they have done. Preferably ask a friend or co-worker which have ordered a consulting from that vendor to tell you a bit about the method of work. Don’t look for the ‘crazy genius’. Smart hackers are important, but look for those whom are tidy and careful during their conduct with you. Give them specific boundaries to what they are allowed to use or test, which systems are not to put at risk at any point, which can be and maintain a constant channel of communication during the test. Preferably, if you are not certain about your pen-testers’ capabilities but have no choice sine they have been hired by your employer, backup your IT staff with a couple of the more qualified workers for the night.
Try to get the test to happen during night time or weekends while less people are working. This might be not comfortable and might even cause higher fees from your vendor (and they should ask for more), but this will make sure that you can give more time to your pentester in a case they require anything and that if something goes wrong you have a bigger time frame to fix it while there are no personnel not working.