Penetration tests are security checks which are used to check IT systems for vulnerabilities. The purpose of such tests is to find out if it is possible for third parties to tamper with a device or software, mainly to create malfunctions or intercept data traffic. There’s no doubting the benefit of penetration tests. An independent security check of the IT systems can enhance the security of the entire IT landscape. But simply carrying out tests is only half the battle. Preparations need to be made for carrying out such tests, and the outcome needs to be well documented. After all, it’s also about providing clear evidence for these tests – if only to justify the budget for these measures.
The purpose of penetration tests
Such security tests are not popular with everyone, however. The Managing Board, for example, doesn’t like them because they’re costly and also because the benefits are not immediately obvious. IT security is not tangible. But secure IT systems are more stable and are likely to fail less frequently. How are you supposed to research and verify that though? It’s all rather time-consuming. This also very often raises concerns in IT departments because those tests also involve checking if applications and IT systems have been properly configured in the past. If IT systems are implemented using setup checklists, then compliance with these mandatory requirements is checked at the same time. If, for example, the checklist specifies that a standard password for hardware needs to be changed and the test reveals that it wasn’t, the consequences for the employee who is responsible could be pretty unpleasant. But the penetration test is not about checking up on employees and naming and shaming them. It’s about finding such gaps, and checking and verifying the security targets that the company has set. This purpose of each of the penetration tests carried out should be documented in the IT manual and communicated within the IT department and within the company.
Penetration tests need to be planned in advance
Penetration tests should be carried out frequently, once or twice a year depending on their type and the company’s security needs. Internal tests should possibly take place once a year using a penetration tester on site. Websites and other services available on the Internet should perhaps be tested twice a year. But as the person responsible, you need to consider how to prepare for the tests and how to document the actions and observations resulting from the tests.
Preparing for the next penetration test should be a continual process which is integrated into your day-to-day work. Every time an IT system or a whole IT service is implemented, or has been considerably changed, checks should be carried out. Not necessarily immediately, but at the latest when the next test is due. For example after hardware replacement, installation of a new software version, or a change of software. When it comes to new applications, penetration tests can also be carried out before starting up the application. At that point, the test is not disrupting anything yet as the IT documentation will (hopefully) also be adjusted in those cases. Why not leave a note for the next security check in there too?
Planning penetration tests in advance and documenting them with Docusnap
If you use the Docusnap documentation tool, you can set this up in the standard version of the software without making any further adjustments. Simply use the comment function of the application. Comments can be entered both for IT systems and system groups.
Create a separate comment type and call it “Penetration test”. Before the start of the penetration test or at the briefing, a list of the systems to be checked can be handed over to the tester.
Alternatively, the reminder function or a combination of both can be used. Include in the reminder what needs to be tested in the IT system or system group, and note down the result in the comment function. If penetration tests are carried out periodically, this will create a chronological report of the completed measures.
Internal know-how versus external service provider
There are two options for carrying out such security checks. Either you do them yourself or you look for an external service provider. Discuss your aims with the service provider and you’ll find a way. It might be a good idea to change providers from time to time, or to work with two providers from the beginning. That way, the providers can take turns. Their different approaches will create different results.
A disadvantage of your own employees carrying out tests may be that the results of checks are not entirely neutral. However, this depends on the size of the company. If the company is big enough for it to have an auditing department, tests can certainly be carried out internally.
Use existing tools
Another option is to manage the details on planning and documenting penetration tests in your ticketing system, if you have one. You will certainly find a method of doing it all there. The easiest way might be a simple Excel table. It’s up to the company which option is best. There is certainly no right or wrong way of doing it. Choose a solution that fits your company and if in doubt, use existing software solutions to start with. It will then develop on its own.