Preparing for a Penetration Test: Insights from Tim Medin, CEO of Red Siege Information Security

By Tim Medin | November 13, 2023

As the CEO of Red Siege Information Security, I’ve had the privilege of building an outstanding team of ethical hackers to conduct numerous penetration tests for organizations across many industries. Over these years, I’ve come to realize that one of the most underestimated aspects of a successful penetration test is the power of asking the right questions. So lets dive into some of my experiences and insights into how asking the right questions can be a game-changer in penetration testing.

Embracing the Dumb Question

The most important idea when it comes to penetration testing is understanding what is more important to the business or organization. Consultants should never hesitate to ask:

“What data or process, if lost, stolen, compromised, or destroyed, would have the biggest impact to the organization?”

( I made sure to slap this question on the front of our website for good measure.)

The truth is, the testers’ educated guess often matches the client’s response. The key is, knowing when your assumption is wrong!

When it comes to conducting a penetration test, there’s no room for assumptions. I regularly tell my team, “I’d rather ask a ‘dumb’ question, than be wrong. I hate being wrong!” It’s crucial to seek clarity and understanding, even if it means asking what might appear to be a “dumb” question.

Understanding this key point puts the entire penetration test in the right context. It helps the testers understand the real risk to the organization, and not just guess as to what matters. One simple question, can drastically change the value of this type of test. These unexpected insights highlight the importance of thorough preparation for a penetration test.

The Eye-Opening Experience: Pricing as Critical Information

Allow me to illustrate the significance of asking the right questions with a memorable experience from a penetration test we conducted for a major e-commerce platform. This platform, akin to Amazon but specializing in tools and equipment, taught me a lesson I’ll never forget.

Rewind 15 years, back when I was young, head strong, and over confident. At the beginning of the test, I made assumptions about what constituted critical data. I assumed it revolved around credit card information, client data, and sales records – the usual high-value targets. However, during the course of the engagement, the organization’s representative shared an unexpected revelation. They considered the most critical information for their business to be:

“The pricing at which they sold their products.”

I was shocked, since this pricing information was effectively public on their e-commerce site. He went on to explain, that if a competitor can get the price of everything they sell, they could then sell everything for a penny less, and my client would be out of business. The products sold by competitors in this industry are often identical, sourced from the same manufacturer, making the price became the sole differentiator. In a world where buyers hunt for the best deals, this pricing advantage could have a catastrophic impact on the business.

I assumed because the information was public that it wasn’t critical, and I couldn’t have been further off. This taught me a valuable lesson:

“Never assume” and to ask the “dumb” question.

The Lesson Learned: Never Assume Anything

My experience highlights a critical lesson for penetration testers and security professionals – never make assumptions. What may seem trivial or publicly accessible data could hold immense value for an organization, depending on its business model and competitive landscape. This revelation also underscores the importance of gaining a nuanced understanding of the client’s operations and priorities.

The simple question, “What is the most important data or process to you?” should not be perceived as a trap for the organization being tested. Instead, it serves as an opportunity to gauge the experience and maturity of the testers and, more importantly, to align expectations between the testers and the client. As an experience professional, sometimes the organization needs help identifying what is important. An experience consultant can ask about other data or processes and guide them down the path to better understanding.

Preparing for a Penetration Test: Key Takeaways

1. Foster Open Communication

  • Establish open and transparent communication with the organization being tested. Encourage them to share their priorities and concerns.

2. Avoid Assumptions

  • Never assume what constitutes critical data. Always inquire about the most vital processes and information.

3. Grasp the Business Context

  • Understand the client’s business model, competitive landscape, and industry-specific challenges to tailor the penetration test accordingly.

4. Embrace Continuous Learning

  • Encourage a culture of continuous learning and adaptability within your penetration testing team. Every engagement offers new insights.

5. Document Diligently

  • Document the client’s responses and priorities meticulously. This information will inform the testing strategy and help align expectations.

6. Test for Maturity

  • Use the question as a litmus test for the maturity of the organization’s security posture. It can reveal whether they have considered the potential risks comprehensively.

In conclusion, preparing for a penetration test requires more than technical expertise; it demands a keen understanding of the organization’s unique context and priorities. My experiences have taught me that success in penetration testing hinges on the power of asking the right questions and never making assumptions. By following these principles, both testers and organizations can collaborate effectively to enhance cybersecurity and safeguard critical data.

If you are looking to perform a penetration test for the first time, sharpening up your skills as a penetration tester, or a business/organization looking to learn more about what goes into a penetration test and what to do after –Myself and the Red Siege Information Security team have created a unique version of our SiegeCasts dedicated to breaking down all the steps for you in this 3-part series.

The information from this article is just a small section of part one.

Click the link below to learn more!

Adventures in Shellcode Obfuscation! Part 1: Overview

By Red Siege | June 17, 2024

by Mike Saunders, Principal Security Consultant This blog is the first in a series of articles on methods for obfuscating shellcode. I’ll be focusing on how to obfuscate shellcode to […]

Learn More
Adventures in Shellcode Obfuscation! Part 1: Overview

Essential Steps for Management to Maximize the Value of a Penetration Test Report

By Red Siege | June 3, 2024

by Tim Medin, CEO Penetration testing is a critical component of a well-rounded cybersecurity strategy. Penetration testing identifies vulnerabilities before malicious actors can exploit them. However, the true value of […]

Learn More
Essential Steps for Management to Maximize the Value of a Penetration Test Report

Fun With JWT X5u

By Red Siege | May 30, 2024

by Senior Security Consultant Douglas Berdeaux On a recent web application penetration test engagement, I came across a JSON Web Token (JWT) that contained an x5u header parameter. I almost […]

Learn More
Fun With JWT X5u

Find Out What’s Next

Stay in the loop with our upcoming events.