What are the risks to someone performing a penetration test?
It seems this question has been asked a 100 times yet the other day I was typing up the same answers again because for some reason there was no write up.
This is generic, but hopefully it saves us all time in the future.
Basically there are two key risks.
- There is no guarantee systems won’t have some type of denial of service.
This is typically a result of having older legacy systems or custom applications, which are taken offline by an automated vulnerability scanner or over abuse by the attacker.
2. Bandwidth or system utilization may be increased thus resulting in performance loss.
Based on the amount of the automated scanning, the size of the network pipes (both scanning and target), and the number of open ports on a particular system it is possible to overwhelm a service or medium resulting in a performance loss.
To help prevent a denial of service many approaches can be taken. Here are some examples.
1. Exclude legacy systems from automated testing. To ensure security perform manual testing of excluded items.
2. Exclude custom applications from automated testing. To ensure security perform manual testing of excluded applications.
3. Perform testing of critical systems during off hours. Critical systems can be scheduled for testing during low volume business or off business hours.
4. Perform testing in a phased manner starting with user acceptance testing (UAT) environments to ensure the actual tests do not affect particular systems or networks. Once UAT is complete then begin testing on production environments.
5. Setup monitoring and escalation procedures prior to testing. Ensure fault management is in place to ensure systems send alerts when they go down. Ensure proper phone numbers and other contact information is defined to immediately investigate and restore services in the event of a problem. Escalation procedures should include contact information for the person performing the testing to immediately stop all testing if required.
To help prevent bandwidth issues automated testing can be throttled back to use less bandwidth. Also the number of ports can be reduced if there is a concern for overloading a particular group of systems. Usually it is recommended to test the UAT environment instead of reducing the number of ports because certain vulnerabilities may be missed.