I really wanted to add more to this list of “5 Quick Wins On Your Next Penetration Test” post by Red Team Security Consulting, but they did a good job capturing really important broad topics in their first 4 items.: Apply missing patches, decommission forgotten systems and services, bring your password “A” game, and restrict your admin interfaces. The last one, “Validate your input/output” applies to developers more and isn’t quick or easy, and the bonus item, “spoof your banners,” isn’t something you spend time doing unless you really, really want to. But I do have a few tidbits to add. (My criteria here is keying off the phrase, “quick wins.” It’s easy to add many more things that can take months to implement…)
First, issue a round of security awareness education to your employees. Remind them about phishing attacks, tail gating through locked doors, and reporting general “weirdness” on a server. Server is crashing or slow for no reason? Look deeper. Be skeptical, even if the answer is usually not “an attacker.”
Second, make sure your anti-malware solutions are pushing updated signatures/versions to endpoints. Make sure your reported endpoints match your expected inventory, and shore up any stragglers. It’s not perfect, but endpoint protection does flag tools that attackers use.
Lastly, here’s a “cheat” you shouldn’t do, but I guess you could. Stand up honeypots or devices that answer on otherwise unused IP addresses or ports on those IP addresses. Thing is, no pen test lasts as long as it should, and a huge amount of time is spent on scanning alone. If you make an attacker’s scan take way too long, they’re not going to find things or they will just not have much time to get where they want to go. Does that cheat you out of value from the pen test? Absolutely! But it *is* something to think about: the amount of time you’re paying someone to scan your network and how that steals value from the pen test.