When on the cusp of receiving an external penetration test, clients want to prepare themselves for it. We often get asked what’s the easiest way to improve their score before the engagement has begun. Below are the top 3 ways to improve your external penetration testing results before it even starts.
Credential-related attacks are the most common way that penetration testers obtain some level of access while conducting an external engagement. This could range from logging into a web application, Office 365, or even an employee portal. The testers will attempt various password attacks such as password spraying common credentials against all found users, trying default credentials, or looking for accounts that have been forgotten about. You can tackle this by removing unnecessary accounts, setting proper permissions on accounts, setting strict failed password attempt thresholds using strong passwords.
Following best practices regarding password complexity and length is highly recommended, but in the modern age that is simply not enough. You should highly consider implementing password filtering technology against your active directory environment. This will help prevent commonly guessed passwords that still adhere to your password policy. It is a way to add intelligence to your password policy and not simply a list of rules.
Identifying patch levels with a vulnerability scanner and other tools is trivial. Penetration testers stay up to date on the latest vulnerabilities and are eager to test out the newest ones. Ensure you are patching your systems regularly and not just for the penetration test, as you want this to give a proper representation of your organization’s risk. However, it’s important to know what is being exposed to the public internet and ensure that those services have the latest security patches.
Implement Multi-Factor Authentication
Implementing multi-factor authentication (MFA) is a great way to add defense in depth to your organization and reduce your overall risk. MFA on all your external login portals makes your adversaries work harder to gain access to systems. Keep in mind that there are ways to bypass multi-factor if it isn’t set up adequately, such as by allowing legacy authentication methods or having a poor exception process. Additionally, you should ensure your staff is trained not to accept malicious MFA requests. Organizations often implement MFA, and their staff accepts malicious MFA push notifications, allowing the attacker to authenticate successfully.
The three ways listed above are a great way to improve your external penetration test before it even happens.