March 30, 2021

Top 5 Risks of Penetration Testing & How Best To Mitigate Them

StickmanCyber Team
Security Penetration Testing , Proactive Cybersecurity

In our blog outlining what is a penetration test, we mentioned that it is a process of authorised hacking into your system to identify cybersecurity vulnerabilities. However, even if a hacker has your permission to break into your organization’s systems as part of a penetration test for your own benefit, it is a risky proposition as there are a number of things that can go wrong if the hacker conducting the penetration test isn’t properly accredited by a body like CREST

Below is a list of top five risks of getting a penetration test done by the wrong person and how best to combat them:

System outages

During a penetration test, the tester will exploit vulnerabilities in your organization's network and systems by breaking through security controls. During these organized attacks, the penetration tester might break into something important by accident, which may lead to a system outage. These system outages may be caused for a number of reasons, here are two of the most common reasons why it may occur during a penetration test:

Rashness - this may not be on purpose but due to inexperience or inattentiveness. On one hand an experienced tester is familiar with the systems they are testing and the tools they are using, on the other hand an inexperienced tester may misuse their tools which could lead to system outages. 

Unexpected circumstances - occasionally system outages may occur regardless of the expertise of the tester, this may be due to unforeseen events such as an application having software flaws or misconfiguration of a network device.

Complacency during a penetration test

Your organization may fail to identify an actual attack during the period of a penetration test due to complacency. There is a risk of your organization failing to recognise indications of an actual cyber attack during a penetration test, if they were to write off security alerts as part of the test. One way to mitigate this risk is for your security officer to stay in constant contact with the tester and be aware of all the IP addresses used by him/her via a whitelist. 

Decrease in productivity 

Other than possible system outages, penetration tests can lead to a decrease in productivity for employees. For example; certain types of attacks like a man in the middle may prevent certain employees from accessing the internet, or if everyone isn’t aware of the penetration test happening it may lead to unnecessary time wasted on troubleshooting. Of course some loss in productivity can be expected during a penetration test , but there are actions your organization can take to lessen the amount of productivity lost. One such way is to make sure employees are informed if they are to be impacted by the ongoing penetration test, also make sure to keep communication lines open with penetration testers, this will help limit the amount of productivity lost during a test. 

False negatives 

False negatives are vulnerabilities that are not found by penetration testers. There is a risk that even after a penetration test certain vulnerabilities may not be identified. This is why it is important to make sure that your organization’s defences against cyber attacks don’t stop at just a penetration test, regular patching is required and making sure all your security efforts are best practice is the responsibility of your organization. It is also good to get multiple perspectives on repeat penetration tests, enlist the help of different vendors for consecutive penetration tests and avoid sticking to the same tester.

Unethical hackers 

There is a risk that the penetration tester your organization hires, has unethical motives towards your valuable systems and data. They may be activists who believe that their cause is ethical or they may simply be doing it for a large sum of money. Therefore it is always important to hire a penetration tester from a company that is properly accredited. Your organization also has the right to request information on the tester assigned to carry out the hack, this information can also include background checks.

Looking to identify the vulnerabilities in your cybersecurity setup? StickmanCyber's penetration testing services brings in CREST ANZ registered testers to comb through your systems, identify possible gaps, and prepare a comprehensive list of action items to mitigate risks. 

Ready to proactively take charge of your cybersecurity. Book a penetration test today!

Similar posts

 

Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.