How do you prepare for a Penetration test?

A penetration test (Pen Test) is one of the best ways a company can test their IT assets for vulnerabilities that a hacker could exploit to access sensitive data (customer, internal IP, passwords, etc.). Many internal IT teams assume that a pen test is a time-consuming nightmare, but, with the right communication and preparation, a pen-test is an effortless, vital, and valuable procedure for any business.

Penetration tests are simulated cyberattacks against an IT system by security professionals to find exploitable vulnerabilities a hacker would use to infiltrate an organization. Finding these vulnerabilities allows you to address the gaps in your network defense and enhance your overall security posture. Additionally, it provides you with an opportunity to assess your active protection systems, incident response, and on-going security monitoring.

Why does a company need a penetration test?

  • To detect and remediate vulnerabilities before an adversary exploits them
  • Upper management may want a better understanding of their current security posture
  • It may be a regulatory requirement of the industry, or a legal requirement to do business with another company
  • Data protection increases customer confidence

Who will be involved in the Pen test?

  1. Management and authorized technical leaders of the company.
  2. The internal IT teams.
  3. The external penetration testing company.

Ask these questions before you start the Pen Test

Our experience testing over 1000+ application and 500+ networks. Based on their experience, they recommend asking and discussing the questions below. The details should be agreed upon by your team and the penetration testing team before commencing the tests.

  1. Will the test include DoS, DDoS or Brute forcing?
  2. How will the security team perform the intrusive test?
  3. Will the test team exploit vulnerabilities they find or just identify them?
  4. How long will it take to perform the pen test?
  5. What will be included in the report? If possible, ask for drafts or interim reports for longer engagements.
  6. Will there be regular meetings to discuss test progress and concerns?
  7. Will they provide an escalation matrix for both teams?
  8. When will they notify all stakeholders regarding the test and get necessary approvals?
  9. Will there be legal documentation between stakeholders and test team?

How should you prepare for the Pen Test?

If you plan to run a penetration test on your IT system, it’s important that you, your IT team, and staff prepare for it. It’s possible to prepare for a pen test in a few hours, but it helps if you know what to do. Here are 6 ways your company can prepare for a Pen test –

  1. Identify and communicate your scope and objectives with the security professionals conducting your pen test
    Prepare an inventory of your technology assets and assign values to each based on business impact. This will help you to identify and prioritize the assets that should be tested. It would be ideal to discuss the scope with the penetration testing company and/or compliance teams.Spend time with the IT team and security testing company and create a concise and realistic project description with objectives and expectations. For example, do you want to test your company’s ability to detect intrusion attempts? Or see how well your IT team responds to a possible breach? Make these goals clear to the IT Team and penetration testing company.
  2. Decide on the best time to conduct the test
    Pen testing is a time-sensitive process and can take longer thank expected if issues arise. It’s best to run this test during a time of low business activity. Depending on the business, weekends might be ideal to perform this exercise.
  3. Backup your data 
    Your IT team should make a backup of all configurations, data, and codes before the test begins. It’s possible that the pen test may cause a system to crash or data to be lost. If this happens, the data can be restored to pre-test configurations. Your internal IT or support team should be readily available to resolve technical issues with the testing company during the testing phase.
  4. Ensure that your internal IT team is available
    Your internal IT team or support team should be readily available to resolve technical issues with the asset during the testing phase.
  5. Explain what you want to see in the report
    • Do you want to see an Executive summary that describes the work done in a way that management can understand and act on?
    • Do you require mapping of the findings to a regulatory, or compliance standard like PCIDSS, HIPAA, HITRUST, etc.?
    • Do you want to see a detailed record of the findings of the test?
    • Would you like any specific metrics to be included in the final risk rating of the findings?
  6. Mitigating common vulnerabilities
    Security is an ongoing process, so it is helpful to mitigate common vulnerabilities before you go ahead with the test to ensure optimal results. More than 67% of detected vulnerabilities are common and can be mitigated through basic security measures.
    • Applying missing patches
    • Restrict access to management or administrative interfaces
    • Disable insecure encryption standards and ciphers
    • Decommission obsolete software, services, and systems
    • Ensure password strength is maintained across all assets (network and application)
    • Validate all inputs on the server side

What is included in the Pen Test report?

A detailed report that includes:

  • The goals and scope of the penetration test
  • The methodology used by the security company
  • The timeline of the penetration test.
  • Detailed list of vulnerabilities, risk ratings, and evidence
  • Recommendations to improve overall security

Penetration testing is not a one-time activity. In 2018, there were 16,412 common vulnerabilities and exploits released, which is why penetration testing and vulnerability assessments need to be an ongoing process as most attackers leverage known exploits and vulnerabilities to attack organizations. It is important to ensure that penetration testing is a part of the development cycle and at a minimum be carried out before every major release if not biannually.

Accorian is a full-service cybersecurity partner. We can help protect your data, monitor your networks, conduct penetration tests and provide anti-phishing training for your employees. We have extensive experience in conducting penetration tests & vulnerability scanning for all applications (Web & Mobile), APIs, networks, and social engineering assessments.

Insider Threats – Healthcare’s Crippling Reality

We often learn about the latest security issues, threats, vulnerabilities, attacks, and ransoms every day. While much of the advertised information we read is about external vulnerabilities, there is another, often-overlooked, hazard lying in wait: Insider threats.

What are Insider Threats?

An insider threat is an often-overlooked security threat from within an organization.
Often an employee, contractor, business associate or, third-party entity, an insider threat is anyone who had or still has access to proprietary information within an organization. Due to the unforeseen nature of these breaches, traditional security measures and products often fail in preventing and detecting insider threats.

Why should organizations be concerned?
  1. 75% of internal breaches go unnoticed. An employee logging-in is easily overlooked in comparison to an external threat.
  2. Internal breaches are twice as costly and damaging as external threats due to the longevity of the breach and the detection lag
  3. 69% of organizations that were breached internally had a prevention solution in place, but still failed to detect the attack.
  4. On average, it takes 32 months to detect an internal breach.
  5. 65% of breaches are unintentional, making privileged-users the largest risk for organizations.
  6. Not every breach is the result of maliciousness, recklessness, or negligence, but regardless, the presence of human error in internal breaches means organizations have to invest in training, education, and technology that work with the user in mitigating insider threats.
Why should Healthcare organizations be concerned?

Hackers leverage highly targeted phishing campaigns to gain access to healthcare organizations’ networks, which serves as a critical reminder for the need to frequently train and educate employees. In general, healthcare entities are able to detect external hacking incidents quicker than insider incidents. There are many cases of hacking incidents have been discovered in one day, while insider incidents have proceeded without detection for years. Healthcare is the most vulnerable industry to internal threats, with 59% of all breaches being internal-infiltrations
in 2018. (Verizon DBIR report 2019)

Current State of Healthcare –

  • 15 million patient records were breached in 2018 over 503 breaches. 139 were internal breaches responsible for over 2.3 million patient records. (Protenus Breach Barometer 2019)
  • 32 million patient records were breached in the first half of 2019 across 285 breaches; The new Protenus 2019 Breach Barometer found the number of breached patient records tripled from 2017 to 2018, as healthcare data security challenges increased.
  • 91% of healthcare organizations have had at least one data breach involving the loss of patient data in the last two years (Forbes)
  • 68% of patients are not confident that their medical records are secure with their healthcare providers (Ponemon Medical Identity Threat Report)
How should Healthcare organizations manage & mitigate this threat?
  • Proactive Insider Threat monitoring – User & Entity Behavior Analytics (UEBA), Endpoints Controls
  • Auditing & managing privileges & permissions
  • Implementing a device management policy
  • Security training and testing among employees
  • Policies & Procedures for increasing accountability amongst employees & contractors
  • Incident Response Strategy & Plan
How does HITRUST prevent Insider Threats?

HITRUST’s Cybersecurity Framework (CSF) provides a comprehensive security blueprint for organizations to achieve and adhere to.

HITRUST requires organizations to have the following controls in place in order to prevent insider threats –

  1. Employee awareness & education
  2. Secure workplace and data practices
  3. Confidential data taxonomy
  4. Auditing & managing privileges & permissions
  5. Secure disposal/re-use of media/equipment
  6. Compliance to policies & procedures
  7. Acceptable use of assets
  8. Reporting of security incidents

    Ready to Start?

      Download Case study

        Download Guide

        Human Resources Director

        Posted On: 09 May, 2022

        Drop your CVs to

          Interested Position

          First Name

          Last Name


          Total Experience

          Mobile Number

          Upload Resume