PenTesting Pitfall

An article on Softpedia highlight one of the more unusual pitfalls of conducting PenTesting

http://news.softpedia.com/news/Hack-Attack-on-City-of-Tulsa-Website-Turns-Out-to-Be-Part-of-Penetration-Testing-296151.shtml

As it turns out, hackers were not responsible for the breach. Instead, it was a company hired by the city’s IT department to perform penetration testing. The security firm utilised a test procedure that was unfamiliar to the IT department.

This shows the importance of engaging with the client when scoping the PenTest and ensuring that they understand the process and have defined lines of communication between the client and the PenTesters.

After the incident, the IT department managed to further strengthen the city’s systems, which are said to be targeted thousands of times daily by cyberattacks. It also made officials realise that incident management for IT security should be treated just like the one for natural disasters. The cost of the response to the false incident was around $20,000 (15,000 EUR) for the operation.