Here is guide that explains the best practices to be used before, during and after network penetration testing.
1.) Pre-Test Stage
This section lists the activities to pay attention to before penetration testing.
- Define the scope. Regardless of the pen-test type, list the number of networks, the IP address range within one network, subnets and computers to avoid any misunderstanding. Otherwise, pen testers might leave some network systems unattended or worse, hack some third party systems.
- Define the time frame. Penetration testing shouldn’t disrupt your company’s everyday operations. Imagine if a pen tester used a technique involving heavy network traffic. If used at peak times, it could overload the network and crash it.
- Decide if you want your IT security and technical information to be in the know. Unannounced penetration testing is good to assess the status of your security team. Yet, it may slow down the process or even block it, for example, by cutting access from internet for pen testers.
2.) Test Stage
This section covers practices followed by pen testers while conducting network penetration testing.
- Gather as much customer information as possible. Pen testers use the customer’s website, WHOIS databases and web search engines.
- Conduct a network survey. This process provides pen testers with server names and domains, the range of IP addresses owned by the organisation, information about closed and open network ports, running OS and services.
- Determine existing vulnerabilities. At this stage, pen testers scan the network looking for vulnerabilities to use for penetration attempt. Vulnerability scanning can be automated and manual. A combination of the two methods will boost the effectiveness of the process considerably.
- Identify suitable targets. Pen testing will always be conducted within a time frame set by you. So, out of the list of vulnerable targets on your network, it’s essential to choose the proper ones not to waste time and effort doing unnecessary job. It would be sensible to choose the servers, as the primary targets for penetration testing.
- Attempt penetration. To exploit vulnerabilities, pen testers use specialist, customised tools. These tools categorise vulnerabilities based on the severity. This helps to provide a customer with a report of vulnerabilities that need to be fixed immediately.
3.) Post-Test Stage
Network penetration, as such, is over. But the penetration testing procedure isn’t. Two stages are left: cleaning up and report generation.
- Report generation. A well-structured report is a welcome hand in risk management. It should start with an overview of the penetration testing process followed by the most critical network vulnerabilities that need to be addressed in the first place. Afterwards, fewer critical vulnerabilities should be highlighted.
- Cleaning up. Pen testers’ code of practice doesn’t allow to leave any surprises in your network. To keep it clean, pen testers should maintain a detailed record of all actions performed throughout the stages of penetration testing.