Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Time Windows for Penetration Testing

Often when penetration tests are scheduled, it will be requested that testing occurs during off-peak hours, such as late evening to early morning. For example, requested hours for testing could be 7pm – 7am, or even 11pm – 6am.

A big reason to have these testing time windows is to prevent peak-time outages. Most organizations have a need to keep systems up and running for their services and customers. Any outage due to penetration testing could be costly and be a denial of service, preventing sales and perhaps affecting revenue.

One thing to keep in mind, however, is whether or not there is a SOC or any monitoring occurring during these off-peak hours to be notified of any outage. Is there a 24/7 staff monitoring service during these late hours of the night and early morning? If not, then any outage that occurs during these hours may not be noticed until peak hours begin and employees begin their workday. If there is no 24/7 staff or monitoring availability, then automated real-time alerts, such as phone calls or text messaging to the IT staff is crucial to prevent the damage that the time windows were specifically set up to avoid.

There are some occasions when pentesting is requested during peak times, for the purpose of having staff present and working to monitor any issues, events or alerts that happen as a result of penetration testing. Another aspect to be aware of is that for penetration testing to be most beneficial, it must replicate as much as possible what a real attacker would do. A real attacker would not necessarily stick to requested testing time windows. A real attacker may not even avoid performing denial of service attacks (or maybe they would, so as to be as stealthy as possible). There is also the amount of time a real attacker has compared to a penetration tester who is fixed to a specific amount of hours to perform testing. A customer requesting a penetration test would be best served to give their tester the flexibility to replicate a real attacker, but also keep within a budget of hours allocated for the tester.

Another important aspect of penetration test time windows is capturing network traffic. Many penetration testing attacks capture traffic that occurs on the network by users in the environment. If testing is done when no one is working it could cause potential vulnerabilities in the organization to be overlooked and give a false sense of security to the customer. It can be very beneficial especially for internal penetration tests to have testing be performed during peak hours to capture any potential weaknesses that can be more easily identified while employees use their IT systems for everyday business. As an example, even though a bit exaggerated, would you restrict a vishing attack to the hours of the day when employees are not at their desks to answer their phones?

The recommendation here is to not restrict penetration tests to any time windows. If the fear for outages is there, communication with the penetration tester is key. Many of the testing activities performed in modern penetration tests should not result in any outages. However extra care can be taken on the side of the penetration tester. Specific Denial of Service attacks should not be performed unless approved by the customer on a system that will not affect their business. Additionally, a longer length of time for testing is more beneficial as the tester will have more time to identify weaknesses that may be present, especially for larger environments with many systems and services.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo