Penetration Test

Mitigation strategies

RECOMMEND MITIGATION STRATEGIES

• Nearly every pen test will discover multiple vulnerabilities.
• A pen test report should contain recommendations to mitigate each vulnerability
• Solutions vary, depending on the vulnerability

MITIGATION STRATEGY CATEGORIES

• People - behavior changes
  • Social engineering
  • Passwords
• Process - how things are done
  • Backup media handling
  • ID management
• Technology
  • Controls based on hardware and/or software

COMMON FINDINGS

• Shared local administrator credentials
  • Randomize credentials/LAPS
• Weak password complexity
  • Minimum password requirements/password filters
• Plain text passwords
  • Encrypt the passwords
• No multifactor authentication
  • Implement multifactor authentication
• SQL injection
  • Sanitize user input/parameterize queries
• Unnecessary open services
  • Disable or remove unneeded services(system hardening)

QUICK REVIEW

• Recommend mitigation activities for each identified vulnerability
• Suggest different classes of mitigations(technical, administrative, etc.)
• Know common findings and mitigations for the PenTest.