Pentesting a Small Company

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

It's been a month since my last blog post. Usually I don't wait so long between posts but life has been busy with work and personal stuff. Staying busy doesn't give me much time to think but now that things have calmed down I want to write about something that has troubled me for a while. How do you pentest a small company? Well the immediate answer is you pentest them the same way as any other company, but I'm not sure. Before I get into the details let me define a small company. The typical small company I pentest has fewer than 100 internal devices, five to ten external IP addresses and maybe 30 to 40 employees.

A typical pentest relies on finding and exploiting a few vulnerabilities in a large data set. When the data set is significantly reduced as with a small company the job becomes much harder. So my struggle is this, if I perform a pentest on small company and I am not successful at penetrating the network have I failed as a pentester or has the company succeeded in their security program? Does the answer change if the company doesn't have a security program? My fear is that someone with a better skill set would have found the vulnerability I missed and that vulnerability might allow for a complete compromise of the network. So the question is this, as a pentester, how do you know when you have done enough? At what point can you say, "Even though I didn't compromise the network I am satisfied with the state of the client's information security?"

My typical small company pentest consists of the following:

• Identify employee names and email addresses for use in bruteforce attacks.
• Build a password list based on employee names, company names, and keywords associated with the company.
• Scan the network for open ports and services.
• Review all services for vulnerabilities, either with a scanner or manually.
• Exploit vulnerabilities if possible.
• Conduct password attacks on appropriate services.

If I am still unable to break into the network after doing these things, I want to feel comfortable with the security posture of the client but I can't help but feel like I'm missing something. So tell me what am I missing? What else can I do to ensure my clients are getting a thorough test and to ensure I can feel comfortable with the client's security posture?

Feedback

@ITSecurity posted the following on twitter, "You ask, "when can you say, even though I didn't compromise the client I'm satisfied with the state of the security?" I think you take a logic leap in trying to make that determination. It's really up to your client to decide if they're satisfied with their security based on your report. In my mind you are there to help them make an informed decision by demonstrating a risk within the agreed upon parameters."

I had not thought about the problem from this perspective. The truth is, I am restricted by the parameters placed on me by the client. If I am diligent to do all that I can within the parameters, focusing particularly on common attack methods, then my client can have some assurance that their security posture is sound. To some degree, it is up to the client to know what they want tested and to expand the parameters appropriately. It is also up to us as pentesters to show the client ways they can expand the parameters to get a more thorough test.