Red teaming is highly effective but can be a risky way to evaluate a business’s security posture – as the September 2019 arrest of two US pen testers on burglary charges showed.
However, Acunetix offers five top tips on approaching a red team exercise more safely.
* Agree on the conditions in detail ahead of red teaming
Spell out as much detail as possible, specifying the areas of your security programme you wish to test. Pen testers may try things like phishing, social engineering, or disabling physical security measures during a real-life attack.
* Have everything in writing
Ensure you are legally covered if anything goes wrong. A detailed agreement or contract will safeguard both the pen testers and you. Will testers need ID cards to prove they were carrying out a requested activity, if questioned by law enforcement, for example?
* Know relevant local laws
Regulations pertaining to penetration testing can vary greatly between countries or even regions. Ensure everyone, including internal teams, know about these laws. It’s easier to prevent problems than fix them afterwards.
* Inform potential stakeholders
Testing that involves checking human behaviour might mean people need to be kept in the dark. However, there can be serious consequences if key stakeholders are not kept in the loop: consider carefully who must be informed.
* Expect things to go wrong
Red teaming is, by its nature, invasive. Even if the team members perform professionally and carefully, accidents can happen. Therefore, protect the cyber and physical assets involved in penetration testing, including backups.
“Despite potential risks, penetration testing and red teaming are such an excellent way to verify the security posture that you should not be discouraged,” writes Acunetix blogger Tomasz Andrzej Nidecki.