So you have some things you’d like to have pen-tested. Maybe it’s some web applications or a subnet of Internet facing IP addresses. Maybe it’s just some of your internal network or internal physical security. Either way eventually everyone should have a third party do a penetration test on the services you own or are running. A third party penetration test will almost always be beneficial in the sense that you know where you or your company stands in that segment of information security. You also know about your weaknesses before someone else does. Obviously this is pretty well-known knowledge.

It has come to my attention in the past few months that companies handle doing their penetration testing services differently. While this for the most part can be a good thing, especially if you have multiple tests run, sometimes it can be detrimental and actually leave you with more headaches. I have noticed that in the information security world today, some companies are living by the smash and grab type of idea system. They run into your network or your web application and attempt to break/steal/dismantle/wreak havoc on anything they possibly can. They are entirely malicious and non-caring. They attempt to gather as much credit card or personal information as they can as well as your login credentials and other private or sensitive materials. Now of course, this isn’t always a harmful thing. Knowing you’re vulnerable and having the proof to show some decision- makers gets things moving for fixes very quickly. The problem with the companies that are doing this, and leaving you with a pile of rubble, is that they do not offer help. They are not willing to share how they exploited you. They just want you to know that they came in because XYZ System is vulnerable and that they stole the CEO’s credit card and login credentials. Which of course is a really cool, fascinating story... but is it really all that helpful? The answer is no. If they’re not giving you the means to fix the situation or even telling you how THEY broke in, how are you expected to handle this? Not everyone has 60 hours a week to spend trying to fix something they don’t understand. Especially if the system in question is of high importance and a fix would require downtime. Penetration tests need to be ‘full-service’ so to speak. So while they’re pumping your gas, they’re washing your windows.

 Now, the way I see it (and the way Hurricane Labs sees it) is a very different approach from the above mentioned. We start off by finding your vulnerabilities, which may include anything from some missing input validation or an expired SSL certificate. We then find the ‘biggest’ vulnerabilities and immediately report them to the customer so that they can act quickly on those in order to prevent some major data loss or downtime. We do this because we are trying to help before someone else tries to hurt, and not just ‘see what we can break’. Once these more important vulnerabilities are established, documented, tested and reported, we move on to testing the smaller ones to see if they can be exploited in such a manner that would be conducive to another immediate report of the vulnerability. After those have all been thoroughly tested and recorded, we move on to the even smaller, less intrusive or less severe problems. These are documented for reference to the customer and flagged as being less problematic, but still important. Once we have discovered all types of vulnerabilities, whether they be very severe or minor, we then let the customer give us feedback and ask for help. We will gladly provide help for all our customers so that they can get their configurations correct, setup their web application inputs properly or maybe even patch systems as necessary. It is our job as hackers/pen-testers/deviant individuals to take the knowledge we have and apply it to help our customers. We’re not just here to run in and break things (despite it being fun), we’re here to help prevent future damages and prevent future incidents.

In conclusion, basically, penetration tests need to be taken a step further than they normally are. This isn’t a hack contest or ‘see who can break what’, it’s a service to provide a means for Network Awareness which in turn will lead you to a secure network/service/web application. Data loss and downtime are very serious concerns and flexing your hacker muscles by breaking them in a pen-test, but not helping to fix the issues does nothing but waste time, waste resources, and cause more headaches.