Penetration Testing Risks

Posted: August 24, 2010 in Prevention, Security Governance

What are the risks to someone performing a penetration test?

It seems this question has been asked a 100 times yet the other day I was typing up the same answers again because for some reason there was no write up.

This is generic, but hopefully it saves us all time in the future. 

Risks:

Basically there are two key risks.

  1. There is no guarantee systems won’t have some type of denial of service.

This is typically a result of having older legacy systems or custom applications, which are taken offline by an automated vulnerability scanner or over abuse by the attacker.

 2. Bandwidth or system utilization may be increased thus resulting in performance loss.

Based on the amount of the automated scanning, the size of the network pipes (both scanning and target), and the number of open ports on a particular system it is possible to overwhelm a service or medium resulting in a performance loss.

Mitigating Risks:

To help prevent a denial of service many approaches can be taken.  Here are some examples.

1. Exclude legacy systems from automated testing. To ensure security perform manual testing of excluded items.

2. Exclude custom applications from automated testing. To ensure security perform manual testing of excluded applications.

3. Perform testing of critical systems during off hours.  Critical systems can be scheduled for testing during low volume business or off business hours.

4. Perform testing in a phased manner starting with user acceptance testing (UAT) environments to ensure the actual tests do not affect particular systems or networks.  Once UAT is complete then begin testing on production environments.

5. Setup monitoring and escalation procedures prior to testing.  Ensure fault management is in place to ensure systems send alerts when they go down.  Ensure proper phone numbers and other contact information is defined to immediately investigate and restore services in the event of a problem.  Escalation procedures should include contact information for the person performing the testing to immediately stop all testing if required.

To help prevent bandwidth issues automated testing can be throttled back to use less bandwidth.  Also the number of ports can be reduced if there is a concern for overloading a particular group of systems.  Usually it is recommended to test the UAT environment instead of reducing the number of ports because certain vulnerabilities may be missed.

Advertisements
Comments
  1. Fernando Martin says:

    Great post, Making sure whatever settings or parameters were changed during the Pen Test are set back to their original condition is the most complicated issue to me.

    Regards,

  2. Navy installation, is a 2-mile stretch out of land your pokes into these Hudson Harbor.
    Only just your own inner Inspiration can guide you.

  3. impas, natomiast ucieinie widoczne Święta budowa.

    wciąż kosmate ucho.
    – najlepsze maszyny Ociupinę się opowieść, Wagner – sapnął Frodo, rozpalając sąsiedniej porcji ziemi,
    Skrzywił się, jak poczuł chwytajże naciągniętych mięśni.

    – Zaopatrz zgoda… – Wagner opierał się na swoim
    szpadlu, jak na przykład szanujący się
    pracownik budowlany. – Nie spiesz się w taki sposób, wypalę oraz zasypię…

    Zaciągnął się. Frodo pokręcił głową, cisnął przyszłą porcj.

  4. Thank you for sharing your info. I truly appreciate your efforts and I am waiting for your next post thanks once again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s