Maybe you’re thinking of having a penetration test completed or simply have the jitters of not knowing how the test results will turn out. We get this question often and we’re here to help prepare you for success. So take a look at the top 6 ways to improve your penetration test results.
Patch
Configuration management can be difficult but ensure that you know what exists on your network, remove what you don’t need, and that security patches have been applied. Applying security patches is imperative to the overall health of your network and the data that’s held within. However, a vulnerability scan will do a couple of things for you, inventory the items in scope and discover common vulnerabilities. Due to the success rate that outdated versions bring, this is usually an attacker’s first stop.
Change default credentials
As a penetration tester, attempting default credentials to any system that we come across is second nature. Failure to change default credentials is often attributed to simply setting the system up and merely forgetting to change it afterwards. This is where you can implement some rigor around processes such as utilizing hardening checklists. Anytime a project, application, or system is introduced into your environment, you should ensure a hardening checklist is incorporated in the plan. Often applications and appliances have more than just one default account so make sure not to forget those as well.
Implement a password filter
Password spraying has become a common way to infiltrate organizations. Having a 10-character minimum, mixed case, numbers, and special character sounds decent right? Well “Password123!”, “Spring2020!”, “YourCompanyName2020!” satisfy the requirements but doesn’t reduce the likelihood of an attacker guessing those credentials. If you force users to rotate their password often then they are more likely to fall into this trap of using seasons, years, or simply incrementing numbers to keep up with their password. Be sure to utilize a tool that will blacklist these type passwords. Don’t forget to not allow them to use part of their name or username as a password as well!
Implement MFA
As with anything, multi-factor authentication is not a “hacker proof” solution. However, it does limit a significant number of attacks and increases your overall security posture. The good news is that the MFA realm has become commonplace in most applications and the implementation of those solutions have improved dramatically over the last couple of years. It’s important that you test these as backup options and some weak secondary factors can be easily circumvented. Check out MFA and your business to learn more.
Have separate administrative accounts
I’ve found that practicing least privilege is seldom found during penetration testing. However, it has led to a significant amount of domain takeovers and one of the big eye-openers that our clients often see. Any administrators in your domain should have separate accounts, one to perform administrative duties and one as their regular user account. The accounts should always have separate passwords and the administrative account should have additional security features applied such as password length, complexity, and additional monitoring.
Have unique local administrator accounts
Once an attacker has landed on a machine it’s usually trivial to obtain local passwords or to perform privilege escalation. If your organization is using the same local administrator credential on all your machines, then it makes for moving laterally in your network extremely easy. Doing this manually would be over burdensome for many but luckily there’s a more automated solution and best of all it’s free! Microsoft came out with Local Administrator Password Solution (LAPS) to assist in rectification of this issue. It essentially automates the process of changing the passwords for every local administrator account and stores it for you.
Summary
The goal of your penetration test is to measure the security of your organization and provide actionable steps towards improvement. Even if you don’t get a sterling report back, it’s much more important to know what your risks are. Comment below and let us know how you improve your penetration test results!
