Skip to main content

5 Common Pentesting Mistakes Neeraj Mishra The Crazy Programmer

Penetration testing (or pentesting) is one of the most effective means of unearthing weaknesses and flaws in your IT infrastructure. It exposes gaps so you can plug them before a malicious party takes advantage. Whereas the benefits of pentesting are clear, a pentest is only as effective as its planning and execution. 

Substandard pentesting will not only yield results that add no value but could also endanger the very infrastructure it’s meant to help protect. Before you run a pentest or commission a third party like Emagined Security to do it for you, beware of the most common mistakes testers and businesses make. Here’s a look at some of these.

5 Common Pentesting Mistakes

5 Common Pentesting Mistakes

Disregarding Professional Ethics

A pentester must put themselves in the shoes of a real hacker if they are to model and run scenarios that mirror the real world. But that is the only thing that a tester should have in common with a cybercriminal. Importantly, the pentester should leverage their technical ability to improve security while subscribing to the highest level of ethics. 

During the test process, the pentester will likely gain access to sensitive corporate information. They’ll also become aware of the potential loopholes an attacker could use to break through the organization’s defenses. It would be a grave error if they were to disclose or utilize these privileges outside the boundaries of their authorization.

Testers must hold sacred the great trust the target organization has bestowed on them. They must subscribe to the principles of legality, confidentiality, and privacy at all times.

Unauthorized Testing

The pentester aims to identify gaps in the system. Whereas they are paid to break the rules, this has to be done with pre-authorization and predefined terms of engagement. 

Testers can get overly enthusiastic in demonstrating their skills and thus lose focus from their primary objectives. They may crash a critical system by going beyond what they are permitted to do. This can be especially destructive if part or all of the test is conducted in a live production environment.

Rules of engagement must be disseminated to all involved and any aspects that are unclear discussed beforehand. The rules would include scope, systems covered, systems excluded, types of tests, timeframe for testing, and escalation procedures during emergencies.

Not Properly Safeguarding Evidence

‘Trust but verify’ is the golden rule of auditing. This could very well be applied to pentesting too. Like all techies, pentesters sometimes perceive the capture, retention, and documentation of evidence as a distraction. If you offer no evidence to back up your test report, it’ll be difficult for decision-makers and other stakeholders to accept and act on your claims. 

From the start, determine what evidence you need to capture. At the minimum, this would include the exploited vulnerability, timestamp of the exploit, unauthorized actions you could perform, number of unsuccessful attempts, and any breach detection that occurred. This evidence is the foundation of a fact-based pentest report.

Over-Reliance on Tools

Enterprise IT infrastructure is highly complex. It’s virtually impossible to run a substantial pentest today without some reliance on automated tools – from applications like Wireshark that quickly scan targets and traffic, to solutions such as Metasploit that streamline the development of custom exploits. 

The range of tools at a pentester’s disposal is vast. So much so that one would be tempted to sit back and let these solutions do all the work. But tools are only as useful as the skill level of the person who wields them. Tools should never lead a pentesting program. Instead, they should implement the concepts, ideas, and plans the tester has already thought through.

Failure to Recognize the System is Indeed Secure

The focus of a pentest is not to achieve intrusion by all means. Instead, it’s to assess how protected the infrastructure is from the methods cybercriminals would use

Ergo, if you run an exhaustive test that doesn’t result in successful intrusion, that shouldn’t worry you. It’s ok for the test findings to conclude that the system is secure. Many rookie pentesters lose sight of the greater goal and go all out to prove some gap exists.

The road to becoming a top-notch pentester is years-long. Achieving expertise is contingent on minimizing the number of mistakes you make. Recognizing these pentesting mistakes is essential to getting your tests consistently correct.

The post 5 Common Pentesting Mistakes appeared first on The Crazy Programmer.



from The Crazy Programmer https://ift.tt/3hYNr4T

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20