Article

How to get the most out of your pen test remediations

Security often feels like an uphill battle. Suppose your organization has taken foundational steps – obtaining Cyber Essentials certification and starting regular penetration testing. Congratulations – you’re well-positioned to prevent most opportunistic attacks. However, once the pen test report arrives, many businesses encounter a new challenge: how to manage the remediations effectively.

Pen testing companiesoften highlight that there are always more remediation tasks than resources, a common concern for every security manager. The crucial question is: how do you prioritize limited resources for maximum security impact? Effective and efficient remediation efforts are essential, and that’s where data becomes invaluable.

Analysing this data reveals that nearly all critical and high-severity flaws are low to medium effort to fix. This makes them a clear priority for remediation efforts. Addressing these critical and high importance issues first ensures maximum impact with minimal effort. But once these easy wins are tackled, what's next?

Consider the different categories

You now face a crucial decision: should you allocate your remaining remediation budget to fix the remaining few critical and high importance issues, or address a larger number of medium-severity findings? This is where data must be considered alongside context. The distribution of severity by the category of the finding can influence your prioritization. We've outlined the severity by category, along with some helpful insights on why you might prioritize certain findings over others.

Key

Category by severity

Encryption

Only 1 in 10 findings are rated as high severity, while nearly half, at 47.64%, are rated medium. Encryption-based attacks are usually more complex to exploit and tend to be used by determined attackers rather than opportunistic ones. This requires careful consideration of where your cyber threats originate.

Information Disclosure

Almost 7 in 10 findings are rated as low or recommendations, with less than 4% categorized as critical or high. As a result, Information Disclosure weaknesses are generally considered a low priority for remediation activities.

Injection

Approximately 32% of findings are critical or high-rated, while 37% are medium-rated. Injection attacks, being low-effort and high-reward for hackers, make them prime candidates for remediation. These flaws are frequently targeted, making it essential to address them promptly.

Input Validation

These findings are evenly split between medium and low or recommendation. While medium issues can be linked together as part of a larger attack, the absence of critical or high findings makes this category less of a priority for most businesses.

Misconfiguration

Misconfiguration is another category primarily consisting of low or medium findings, but with 1 in 6 rated as high or critical. This makes it important to closely examine what exactly is misconfigured and how it impacts your system.

Outdated Components

1 in 6 findings are rated critical, and when combined with high severity, they account for over 40%. Outdated components are a common target for all types of bad actors due to their easily exploitable flaws. This makes addressing them a quick win for remediation. However, as every security manager knows, patching outdated components comes with its own set of challenges.

Other

The potluck bin of pen testing finding categories, critical and high vulnerabilities make up just over 20% of findings. These require a technical expert to review and assess the vulnerabilities, making a judgment call on their impact and priority.

Windows Hardening

Over a quarter of findings are rated high or critical, which is significant. However, the 55% rated as medium still deserve attention. Given the ubiquity of Windows and the frequent discovery of new exploits, addressing medium-severity findings is crucial. It's common for multiple medium vulnerabilities to be chained together in larger attacks, making their remediation important.

Take a risk-based approach

Ultimately, it all comes down to risk management. You probably knew this already—that’s why you’re conducting a penetration test. We always advocate for a risk-based approach to cybersecurity rather than implementing random technical controls. By taking a risk-based approach, you'll understand who is likely to challenge your cyber defences, their motivations, and where your infrastructure's biggest weaknesses lie. Leveraging this data ensures that your pen testing remediations are as efficient and effective as possible.