I have a client who's scheduled to have some penetration testers come in about a month from now, focusing on their internal infrastructure. From what I gather, they're planning to scan using unprivileged accounts and a regular domain user account. We've already patched the areas we're contracted to address, and I've run scans with Nessus Pro using those unprivileged and domain user accounts, which haven't raised any major concerns. However, I know the pen testers might dig deeper than the automated scans. I'm curious about what specific areas or vulnerabilities I should be checking for, considering the client didn't request we harden their environment to a particular standard. Any advice?
10 Answers
If you want to get a head start, consider using tools like Ping Castle, Bloodhound, or PurpleKnight. These can help identify any glaring issues early on. Also, discuss testing boundaries and ensure any important people in your organization are informed about the testing schedule to avoid panic if something critical occurs.
Expect them to find some minor issues that they’ll blow out of proportion to justify their fees. In the past, I've seen testers label basic domain password policy issues as 'critical' just because they didn't meet high standards. It's all about how they frame their findings, so be prepared for that.
Exactly! Nessus is solid, but just don’t be surprised if the findings come back more extreme than anticipated.
Password policies are key. Be prepared for any passwords containing common words; they’ll likely get flagged during the test.
I’m glad to hear we're good on that front, as we enforce strong, complex passwords for what we manage. Anything outside of that is on the client.
Totally, just make sure your policies are airtight across the board.
Honestly, you might not need to do much prep. Pen tests are intended to reveal issues in your current setup. If you’re just providing a general outline of the infrastructure and maybe a few credentials, that should be sufficient. Over-preparation could lead you astray.
A lot of so-called pen tests are really just glorified vulnerability scans. A true pen test can cost a lot more, sometimes 15-20 times the price! Review your contract carefully; they might require admin creds for everything and could run an automated tool from a VM. They may conduct a manual investigation based on the automated results.
Definitely work on your documentation. Even if they don’t specifically ask for it, having your designs and procedures ready shows you've put in the effort and can help clarify processes during the test.
Just let the testers do their job. You want the testing to resemble a real-world scenario; otherwise, you risk getting skewed data.
Prepare the client that there might be some false positives, which can happen. If you're in a sysadmin role, running your own tests and having a solid baseline script can cover most issues.
If you're getting proactive testers, ideally, they should be testing your business-as-usual operations rather than any specific changes you make in anticipation of their visit. Make sure a low-privileged account is ready for them, and clarify how they’ll connect to your network. Everything's a trade-off between the time they'll spend and the findings they'll generate, depending on your objectives.
That makes sense. We’re not contracted to additional hardening than what we already do, but I want to ensure we're in a good spot. It's more about what they might discover on top of what Nessus shows and any quick fixes we should address.
You’re on the right track! Just make sure to cover the basics of security best practices.
Focus on updating your documentation instead of changing configurations. It can save you a lot of headaches and is often what testers ask to see.
Yeah, I anticipate having to negotiate on some of those findings. We've had issues flagged before, like password policy requirements for complexity and rotation that seemed excessive. I’m starting with what Nessus identifies as it’s well-regarded in the field.