Essential Steps for Management to Maximize the Value of a Penetration Test Report

By Red Siege | June 3, 2024

by Tim Medin, CEO

Penetration testing is a critical component of a well-rounded cybersecurity strategy. Penetration testing identifies vulnerabilities before malicious actors can exploit them. However, the true value of a penetration test lies not just in the identification of vulnerabilities, but in the subsequent actions taken to mitigate these risks to better the security of the organization.

This blog post outlines key steps that Chief Information Security Officers (CISOs) and C-level management should take after receiving a penetration test report (especially a bloody one) to ensure their organization strengthens its security posture effectively.

1. Keep Focused

Initial Response: Don’t Panic

When you receive a pen test report, especially one with numerous findings, it can be overwhelming. However, it is crucial to stay calm. Identifying these vulnerabilities is a good thing! The discovery of these vulnerabilities means that you have an opportunity to address them before they can be exploited by malicious actors. It is a proactive step towards enhancing your organization’s security.

Understand the Report

Begin by thoroughly reviewing the report. It typically contains several sections, including an executive summary, methodology, findings, and recommendations. Pay close attention to the executive summary for a high-level overview and to the findings section for detailed information on vulnerabilities.

2. Dig in on the Details

Prioritize Findings

Not all vulnerabilities are created equal. Use a risk-based approach to prioritize the findings. Don’t be afraid of using your own internal scoring to recategorize the risk of each finding. Pen testers work hard to understand the risk, but we can’t know everything. Some times the risk is greater, and the internal risk rating should  increase, and sometimes the opposite is true. Consider the following factors:

  • Criticality of the Vulnerable System: Systems critical to business operations should be addressed first.

  • Severity of the Vulnerability: High and critical vulnerabilities should take precedence.

  • Likelihood of Exploitation: Vulnerabilities that are easily exploitable should be prioritized.

Address Underlying Process Failures

A penetration test not only reveals specific vulnerabilities but can also highlight systemic issues. For example, if new systems are deployed without proper hardening or patches are not applied timely, it indicates process failures, such as a deficiency in the patch management program or a blindspot in the asset inventory. Address these underlying issues to prevent similar vulnerabilities from arising in the future. This might involve updating policies, improving patch management processes, training, or enhancing system configuration and hardening standards.

3. Communicate

Communicate with Stakeholders

Effective communication with relevant stakeholders is essential. This includes IT teams, security personnel, and senior management. Ensure that everyone understands the implications of the findings and the steps needed to address them. Use the report to facilitate discussions on risk and remediation strategies.

Utilize Penetration Testers as a Resource

Pen testers are valuable allies in your cybersecurity efforts. Use their expertise not only during the assessment but also in understanding the context and implications of their findings. Engage with them to gain deeper insights and practical advice on improving your security posture.

4. Re-Prioritize

Develop a Remediation Plan

Create a detailed remediation plan that outlines:

  • Specific Actions: Steps needed to fix each identified vulnerability.

  • Responsible Parties: Individuals or teams responsible for implementing each action.

  • Timeline: Deadlines for remediation efforts based on priority.

  • Resources Needed: Budget, tools, and personnel required to address the vulnerabilities.

  • Identify and Implement Process Improvements: Vulnerabilities typically have an underlying root cause. Identify the process, procedure, and policy deficiencies that led to the issue and work to prevent these issues in the future.

Implement and Validate Fixes

Once the plan is in place, begin remediation efforts. It is essential to validate that the fixes are effective. This can involve retesting the vulnerabilities to ensure they have been properly addressed. Many pen testers include a methodology section in their reports that details how they discovered the vulnerabilities, which can be used as a guide for validation. Ideally, the pen test finding also includes a method for identifying the issue (we call it the “validation” section of the finding) that can be used by folks who are working on remediation to immediately confirm a working mitigation.

5. Continuous Investment

Document Everything

Thorough documentation is vital. Maintain records of the findings, remediation actions taken, and the results of validation tests. Documentation helps track progress, provides evidence of compliance efforts, and serves as a reference for future security assessments.

Foster a Culture of Continuous Improvement

Cybersecurity is an ongoing process. Encourage continuous learning and improvement within your security teams. Regularly review and update security policies, conduct periodic security training, and stay informed about the latest threats and best practices. Implementing regular internal assessments and engaging in continuous dialogue with pen testers can also help keep your defenses robust.

Invest in Your Team

Identify training needs and invest in your team’s development. This could include training on secure coding practices for developers, secure network architecture for network admins, or specific security tools and techniques. Investing in your current team members not only enhances their skills but also leverages their existing knowledge of your organization’s systems and processes.

Conclusion

Receiving a penetration test report is just the beginning. By staying calm, digging into the details, communicating effectively, re-prioritizing based on risk, and continuously investing in your security posture, you can turn the insights from a pen test into actionable steps that strengthen your organization’s defenses. Use these essential steps to guide your response and ensure your organization remains resilient against evolving threats.

Feel free to take our handout that gives you a basic foundation of an action plan you can take today!

You can also take a look at the Red Siege Sample Report!


About Tim Medin, CEO

Tim is a Senior Instructor and course author (SEC560) at SANS, the most trusted and largest source for information security training and security certification in the world. Through the course of his career, Tim has performed penetration tests on a wide range of organizations and technologies. Tim has gained information security experience in a variety of industries including previous positions in control systems, higher education, financial services, and manufacturing. Tim is an experienced international speaker, having presented to organizations around the world. Tim is the creator of the Kerberoasting, a widely utilized Red Team penetration test technique to extract kerberos tickets in order to offline attack the password of enterprise service accounts. Tim earned his MBA through the University of Texas and recently completed an eMBA equivalent through Harvard Business School.

Certifications:
GWAPT, GPEN, GMOB, GCED, and GCIH, Previous: CCNA

Connect on Twitter & LinkedIn

Adventures in Shellcode Obfuscation! Part 1: Overview

By Red Siege | June 17, 2024

by Mike Saunders, Principal Security Consultant This blog is the first in a series of articles on methods for obfuscating shellcode. I’ll be focusing on how to obfuscate shellcode to […]

Learn More
Adventures in Shellcode Obfuscation! Part 1: Overview

Fun With JWT X5u

By Red Siege | May 30, 2024

by Senior Security Consultant Douglas Berdeaux On a recent web application penetration test engagement, I came across a JSON Web Token (JWT) that contained an x5u header parameter. I almost […]

Learn More
Fun With JWT X5u

Extend Your Browser

By Red Siege | May 9, 2024

by Ian Briley, Security Consultant In my last blog, I discussed using only a browser for web application testing, emphasizing how useful built-in browser tools like the Inspector and Console […]

Learn More
Extend Your Browser

Find Out What’s Next

Stay in the loop with our upcoming events.