We're preparing for a penetration test scheduled in about a month for a client, who will be testing their internal infrastructure. They're planning to scan using unprivileged accounts and a normal domain user account. We've done our part by applying all necessary patches, and my scans with Nessus Pro from both unprivileged and domain user perspectives have not raised any alarms. However, I'm expecting the pen testers to dig deeper. What additional checks should I consider beyond the outputs from Nessus, especially since the client hasn't requested specific hardening standards?
5 Answers
Honestly, not much needs to be done from your side. A penetration test is meant to expose issues as they are, so if your preparation involves just an outline of your infrastructure and some basic credentials, you're on the right track.
If you're looking for a head start, consider tools like Ping Castle or Bloodhound to identify potential vulnerabilities. Set clear boundaries on what parts of your infrastructure they're allowed to test, and discuss who should be informed inside your company about the testing plans.
Most so-called pen tests turn out to be just vulnerability scans anyway. The actual cost of a genuine pen test can be up to 15-20 times more. Review the contract closely; it’s likely they'll ask for admin credentials to run automated scans from a VM. Afterwards, they might do some manual checks depending on those results.
Before the test, focus on keeping your documentation up-to-date. They might request to see your designs and procedures, even if they're not mandatory.
Expect them to report some minor issues as critical threats to justify their fees. I've seen them over-hype things like domain password policies, flagging rules that aren't even industry standard like having a 20-character password with a 30-day change.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures