THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
The Results are In While most of the focus of pen testing rests on getting the test setup and configured in a way that will provide your business the most bang for its buck. It is important to remember that the results are what will help you drive IT Security within your organization. The data that is provided will be invaluable to helping you harden your network for the next round of testing. Raw Data Once the testing is completed, the raw data that you get from the testing team will help to determine your next steps. This data may need to be parsed or massaged into a form that may be consumable for members of the management team. This data will have information that may be useful to you, but your executive team may get lost in the nuances of what type of vulnerabilities were found on your web server. Priorities Determining the priorities and the remediation effort that you will give to each of the various levels will be the top issue once you get the data back. While there are various ways in which to separate this information, validating the information will be one of your critical tasks. Some common ways of sorting these vulnerabilities are:
Counting Down Once it has been determined the value that will be given to the vulnerabilities that were found during your penetration testing. The important work will begin, and that will be the remediation of those vulnerabilities in a timely manner. How long should you give to your remediation efforts? This is a question that all IT Security Professionals will ask themselves as they look at the amount of work that is now set before them. The time should be limited and doable based off the available resources you have. Also, depending on the number of vulnerabilities that were found, you may want to have a little time to make sure that you will be able to accomplish all the updates and patching before the next test is to take place. Whatever you do, it should be done with a sense of urgency since now that you know about these possible threats, (you aren’t going to sleep for a while, if ever again…) and the potential impact they may have on your company. This will be one area in which you will have to make sure that you have buy-in from your management team and they understand the potential threat to the business. Testing Frequency
When conducting pen-testing attacks against your network, you want to make sure that you are getting the most bang for your buck, (pun intended here) in that you get the most valuable information in which you can take action with. Whether you are following PCI DSS or HIPPA, or even GLBA. You will have to test on a regular basis and have a clean test (meaning that there were no HUGE issues found) which means you met the minimum standards. These requirements range from just once a year, to once a quarter for some regulations. A good rule of thumb is to allow the remediation efforts to have been completed and your Patch Management and Change Management Programs to kick into full gear again after the testing has been completed. This will be the most realistic for the additional data points that you will get from another test conducted in a short amount of time after the first. In addition, the pen-testing firm may offer follow-on testing as well, which will target those key areas where you may have had trouble or may have been a high-risk area. Summary Whatever choices you make concerning pen-testing; it is an important tool in the toolbox of IT Security Professionals. The services of Ethical Hackers can be an invaluable service to companies as we live in a world full of ever-increasing threats. Whether you are conducting testing on a yearly basis or every quarter, the data that you will find in the testing report will allow you to harden your network against those threats.
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|