Imagine a situation: you are an information security specialist, and you know that the protection you have built is complete nonsense. Perhaps you don’t know this, but you don’t really want to check it because who wants to get out of the comfort zone and do something additionally, implement protective measures, mitigate risks, report on the budget?
Suddenly, there is a need to conduct security testing; for example, something has been fancy to the authorities, or a new legislative requirement has appeared. You should find a “fly-by-night operation” that will imitate the work and write that everything is fine, and that’s the end of it, but the situation becomes more complicated. Your company decides to play competition and do it as efficiently as possible: write a reasonable technical specification, make high demands on the team of pentesters (availability of certificates, participation in the Bug bounty), etc. In general, everything was done for you, and your responsibility is only to supervise the work.
So, the team was found, the contract was signed, and it was impossible to persuade the specialists to carry out the pentest slipshod. The guys are smart, and they will start work on Monday and blow your information security to hell, after which you will cut off your hat, and your incompetence will be revealed. The situation seems to you the most deplorable, but it was not so! Here is some advice on how to eliminate or at least minimize this headache.
There is no need to coordinate literally every step: what tools can penetration testers use, what attacks they will carry out, what risks this will result in your information security system. There is no need to ask for a detailed, almost hourly, test plan for every day. Rest assured that pentesters will hate you. They think they have creative work, but you point out to them that they are not required to do anything other than trivial work. And remember about the time: try to coordinate the necessary points as quickly and as shortly as possible. Even if you have a large company and you need to get a lot of approvals: from system owners, from IT, from security officers, etc.
Large and mature businesses, especially effective managers, unwittingly overdo it so often with approvals that it demotivates the entire team. As a result, people have no “drive” to work, no desire to be creative, and really hack something.
Allow the information to be exchanged in different directions (internal, external, and social). Regulate the disparate work, preferably by different specialists and with the transfer of information between directions, despite the fact that you need to identify the risks for each direction accurately.
If insider information (obtained from the inside) was used for hacking on the outer perimeter, be sure to count such work, even if it does not correspond to the declared work. But, on the other hand, if the information obtained after the “social engineering” came in handy for the internal pentest, great, so much the better for you!
This is actually the approach of a classic pentest; the results of each test are really required independently as if a real attacker were really doing this. But in fact, APT groups don’t work that way.
There is no need to announce to the whole company that you are performing a penetration test. Otherwise, all stickers with credentials will be removed, no one will open attachments in the mail, and will not insert the found flash drives into USB. Do not send workers with privileged access rights on vacation or training, do not turn off their computers, do not force them to change their QWERTY password to a random one (for the duration of the penetration test).
Do not create increased vigilance and decreased activity within the company. Do not try to significantly reduce the possibility of attacks aimed at employees and development within the network in this way. Such cases happen in reality. Work begins, and it is clear that people have been warned, their passwords have recently been changed, and they are suspicious of “white hackers.” And some of the computers cannot be checked, because the people sent for training is a “pure accident.”