What is penetration ABOUT SPECOPS

testing? 4 critical steps to Specops Software is

the leading provider of
address security flaws password management
and authentication
solutions. Specops
For some businesses, vulnerability and penetration testing is a deeply
protects your business
ingrained process that just works. For others, it is a mysterious aspect of
data by blocking weak
running an information security program. If you are new to penetration
passwords and securing
testing, it can seem overwhelming and stressful. But, it does not have to be
that way. With the right expectations, it can even be a straightforward and
user authentication. With
beneficial exercise.
a complete portfolio
of solutions natively
What exactly can you do to prepare for an upcoming vulnerability and integrated with Active
penetration test? This whitepaper will provide an overview of the four Directory, Specops
phases of penetration testing, along with best practice recommendations to ensures sensitive data
walk you through the process. Armed with this knowledge, you can take the is stored on-premises
necessary steps and find the security flaws creating tangible business risks. and in your control.
Everyday thousands of
The four phases of your security assessment organizations use Specops
Software to protect
business data.
1. Planning
Action without planning is the reason for every failure. That is why this specopssoft.com/blog
phase of your work is the most important one. You must ask yourself (and
others involved in the security assessment process) what will be tested,
when will it be tested, and how will it be tested. If you are just starting
out, you will likely look at all the big areas of your network environment
including external network hosts and applications, internal network hosts/
applications/databases, wireless networks, and even your users via email
phishing. This is the phase where all parties get on the same page. Make sure
that you understand what will take place and that the deliverables meet your
expectations and needs.

2. Testing
During this phase, the penetration tester will perform a reconnaissance of
your network, enumerate your systems, and identify vulnerabilities. There
is a heavy reliance on security testing tools such as vulnerability scanners,
password crackers, and exploit frameworks. The important thing here
is to go beyond basic vulnerability scans, and dig further to analyze how
vulnerabilities may be exploited. This means the specific risks they create in
the context of your network environment.
 The following security vulnerabilities are
present on virtually every network in
some form – they must be discovered
and resolved!
• Weak passwords: they are everywhere. From your domain accounts, to local operating systems,
database accounts, web applications and beyond, they are creating untold security risks. Free
tools such as Specops Password Auditor can be of great help here. Specops Password Auditor
scans your network and identifies password-related security gaps including accounts without
password complexity requirements, which can help you get a jump start on the lowest hanging
fruit.

• Missing patches: as with passwords, this is a pervasive security problem in most organizations,
especially as it relates to third-party software updates for Java, Adobe, and so on.

• Open network shares: there is hardly a network that does not have share and file permission
weaknesses exposing personally identifiable information and intellectual property.

• Misconfigured wireless networks: this is when guest users or external attackers with cracked
pre-shared keys can hop over and access internal production network segments through system
weaknesses that have been overlooked.

• Internet of Things devices: means increasing the attack surface. These are often outside of the
scope of security control and visibility, such as ongoing security vulnerability and penetration
testing.

• Web sites and applications: from the local production system to software in the cloud – and
virtually everything in between, including development, test, and staging systems.

• Undiscovered databases: with increasing network complexity and shadow IT, there tends to be
numerous database systems that are housing sensitive information, yet they are out of scope in
terms of security oversight.

• Physical security access control and camera systems: these devices and their accompanying
web interfaces tend to run with default settings, including weak passwords. They are often poorly
maintained thus exposing them to attack.

• Physical security weaknesses in buildings and across campuses: this includes improper access
controls on data centers, unmonitored security cameras, and unencrypted laptop computers that
are physically exposed.

• Web, FTP, telnet services exposing user credentials: these are often critical systems (external
and internal) running vulnerable protocols that use clear-text transmission of login information.

• Mobile devices with little to no security control: these are systems that are used by practically
everyone, including high-profile executives who are often targeted. Many users have not stopped
to think about the sensitive corporate assets and access being exposed due to weak mobile
configurations.

• Gullible users: willing to click any link or open any attachment as long as the email message is
compelling enough.
3. Reporting
Once the testing and analysis is complete, the specific findings will need to be documented. The results
cannot just exist as vaporware. Nor should they be a simple PDF file exported from a vulnerability scanner.
There needs to be context and insight provided by someone with security expertise. The report needs to
be easy to read with tangible, common-sense recommendations. In fact, organizing the findings into their
respective parts of the network (i.e. external systems, internal systems, users), and listing them based on
specific priority (i.e. critical, high, or moderate) works well.

4. Follow-up
You have performed your security assessment, found the flaws in your network environment, and now
know where your gaps are. What is next? Do you simply hand the report off to another team and hope that
everything is addressed? Perhaps, you turn the findings into a to-do-list for the coming year. The important
thing is that you do something.
This is where other people – developers, system administrators, executive management, and even external
vendors – will need to be involved. Unfortunately, many security assessment projects tend to stop just before
the proper follow-up with management. You can get – and keep – management on board by underscoring the
importance of the findings and how they impact overall business resilience. This means correlating specific
security vulnerabilities with business risks. You may get pushback at first as many non-technical executives
tend to think that these security issues should only be handled by IT. That is certainly not the case.
It is important to dedicate the time and resources needed to follow up on each item that is uncovered in your
security assessment. Address them directly where you can by tweaking configurations, adjusting password
requirements, applying patches, and the like. Failing to do so can lead to security debt, which only accrues
over time until eventually exploited.

Takeaways
Contrary to common belief and practice, a proper and in-depth security assessment is not just an exercise in
vulnerability scanning, or looking at only part of your network. It is a methodical process that takes a broad
look at your overall environment. The goal should be to find security flaws so that they can be addressed
before those with ill intent exploit them.
If there are any core lessons to be learned from security assessments, they are:
• You cannot secure the things you do not acknowledge. Vulnerability and penetration testing is the only
way to find out where you are weak.
• Vulnerability and penetration testing will not uncover every possible security flaw on your network. That
goes for the first test and for any subsequent tests.
• Testing must be performed periodically and consistently over time – at least once per year, every year.
Security testing must be a part of your ongoing IT and security operations. It is not going to solve all of your
security challenges, but it will certainly improve your IT resilience over time.