avatarTeri Radichel

Summary

The article advises companies to schedule penetration tests outside of the busy Q4 period, ideally in the summer or early January, to ensure better service and attention from cybersecurity firms.

Abstract

The author, Teri Radichel, emphasizes the importance of timing when it comes to conducting penetration tests, suggesting that companies avoid the end-of-year rush in Q4. This is due to the high demand for penetration testing services during this period, which can lead to overbooking and rushed reports. Instead, the author recommends moving penetration tests to earlier in the year, such as the summer months, or waiting until January when cybersecurity firms are less busy. This strategic scheduling can result in more thorough testing and better overall service. The article also highlights the specialized focus of 2nd Sight Lab on cloud and application security, emphasizing the use of multi-factor authentication (MFA) and other security measures during tests. The author notes that their firm prioritizes comprehensive coverage over stealth and is equipped to handle various cloud platforms, with a preference for AWS and GCP.

Opinions

  • Penetration testing companies, including the author's own, are particularly busy in Q4, which can lead to suboptimal service for clients.
  • Scheduling penetration tests in the summer or early January is advised to avoid the end-of-year rush and ensure more attention and better service.
  • The author's firm, 2nd Sight Lab, specializes in cloud and application security and emphasizes finding as many potential security gaps as possible rather than testing the client's Security Operations Center (SOC) response.
  • Clients are encouraged to consider the security implications of not using MFA on AWS and other cloud platforms during penetration tests.
  • The author prefers to use a completely new account and new hosts when starting a penetration test to minimize the risk of compromise.
  • There is a suggestion that hiring big-name penetration testing companies does not guarantee the best personnel will be assigned to the client's test.
  • The author uses automation and occasionally vetted contractors to assist with penetration tests, previously involving family members such as nieces and nephews.
  • The article expresses uncertainty about attending AWS re:Invent this year due to busyness and suggests that clients should consider starting their penetration tests sooner rather than later to avoid scheduling conflicts during busy periods.

Best time to get (and NOT get) a penetration test

As I’m wrapping on an AWS cloud and application penetration test…

One of my stories on

Free Content on Jobs in Cybersecurity | Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Penetration Testing

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’ve mentioned this before but if you’re one of those companies that gets a penetration test in Q4 every year, you might want to consider moving your penetration test up a quarter. If you’re just embarking on your journey to become SOC compliant or have some other reason to get a penetration test and are thinking about doing that by the end of the year here’s why you might want to jump on it now.

Although I’m busy (finishing a pentest now and not available until August), this is one of the slower times of year, as is the very beginning of the year, in my experience as a penetration tester. On the other hand, I get so many requests at the end of the year I end up getting too much work and have to refer some away and am working 24 x 7 to try to get everyone’s reports done in time.

Just a reminder that 2nd Sight Lab specializes in cloud and application security, not on-premises penetration testing or social engineering. We focus on coverage, not stealth. We want to find as many potential attacks and security gaps as possible, not test your SOC's ability to spot a breach. If you are looking for something different, I can provide referrals for those other types of tests if you need one, to organizations run by people I know personally.

I don’t know everyone’s experience who has a penetration test company but I have heard other organizations express similar sentiment — everyone in cybersecurity is really busy in Q4. Rather than wait until everyone is overloaded, get a jump on that penetration test and get on your test company’s schedule now! Also, if this is your first penetration test, it might take a bit longer to get set up or to understand the process. Alternatively, wait until January to get more attention on your test. The very beginning of the year is generally a slow time as well, in my experience.

If you’re doing a cloud penetration test with 2nd Sight Lab, we ask for certain roles to be set up with MFA in your account when testing on AWS to assess your security. We will also explain what credentials to provide and how to send them over securely in an encrypted message. Penetration test setup and the transfer or an upfront payment tends to delay start times in my experience past the expected start date.

If your penetration test company isn’t asking for MFA on AWS with a cross-account role, then you might want to consider that role and the potential attack vector. On other clouds, things are not always so simple so we don’t always ask for MFA but we’re working on it and have requests out to cloud vendors in some cases.

When I started penetration testing AWS warned me that many penetration testers get compromised so we try to take precautions for security and to limit the blast radius should anything be compromised by setting up a completely new account and new hosts when we start a penetration test.

We can also used fixed IP addresses if a customer needs us to, though it’s a bit more real world to simulate testing from varied IP addresses — and we can go faster and get more coverage. In some cases, AWS blocks known penetration testing IP addresses as I’ve mentioned on Twitter, and certain domain names. I figured this out while testing certain attacks and they worked from certain addresses, but not others.

As we move into the latter months of the year, I also get requests to subcontract on penetration tests for other companies. Everyone is overloaded. If you’re doing your penetration test at the end of the year when everyone is overloaded, you might not be getting the best people or the best coverage. I’ve heard clients complain on consulting calls about penetration testers from other big name companies — but just because you hired a big name doesn’t mean you’re getting the top people that are behind that big name. You’ll want to clarify that when you sign up for your test.

In our case at 2nd Sight Lab, I take on as many tests as I can be involved with at the moment, use a lot of automation, and occasionally a contractor who is vetted appropriately (that I know who lives locally, so please don’t contact me and ask for a job) to do some of the simple tasks associated with the test: basic scanning, proof reading reports, etc. In the past, it was often one of my nieces or nephews. We may grow over time but for now I’m dealing with some office space issues and in no hurry to expand. That may change once a few projects get completed around here.

Q4 is fast approaching — that time when everyone is busy with holidays and some people are at AWS re:Invent (not sure if I’m going this year; last year I was too busy) so you might want to think about starting your penetration test sooner than later! If you’re interested in a cloud penetration test and/or application security penetration test from 2nd Sight Lab, you can reach out to me on LinkedIn below. We especially like AWS and GCP penetration tests — though I did just teach a complete Azure security class and can do those as well. We can also perform cloud security assessments if you’re not ready for cloud and application a penetration test.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Penetration Test Company
Penetration Test
Pentesting
Cloud Penetration Testing
Aws Penetration Testing
Recommended from ReadMedium