Often when penetration tests are scheduled, it will be requested that testing occurs during off-peak hours, such as late evening to early morning. For example, requested hours for testing could be 7pm – 7am, or even 11pm – 6am.
A big reason to have these testing time windows is to prevent peak-time outages. Most organizations have a need to keep systems up and running for their services and customers. Any outage due to penetration testing could be costly and be a denial of service, preventing sales and perhaps affecting revenue.
One thing to keep in mind, however, is whether or not there is a SOC or any monitoring occurring during these off-peak hours to be notified of any outage. Is there a 24/7 staff monitoring service during these late hours of the night and early morning? If not, then any outage that occurs during these hours may not be noticed until peak hours begin and employees begin their workday. If there is no 24/7 staff or monitoring availability, then automated real-time alerts, such as phone calls or text messaging to the IT staff is crucial to prevent the damage that the time windows were specifically set up to avoid.
There are some occasions when pentesting is requested during peak times, for the purpose of having staff present and working to monitor any issues, events or alerts that happen as a result of penetration testing. Another aspect to be aware of is that for penetration testing to be most beneficial, it must replicate as much as possible what a real attacker would do. A real attacker would not necessarily stick to requested testing time windows. A real attacker may not even avoid performing denial of service attacks (or maybe they would, so as to be as stealthy as possible). There is also the amount of time a real attacker has compared to a penetration tester who is fixed to a specific amount of hours to perform testing. A customer requesting a penetration test would be best served to give their tester the flexibility to replicate a real attacker, but also keep within a budget of hours allocated for the tester.
Another important aspect of penetration test time windows is capturing network traffic. Many penetration testing attacks capture traffic that occurs on the network by users in the environment. If testing is done when no one is working it could cause potential vulnerabilities in the organization to be overlooked and give a false sense of security to the customer. It can be very beneficial especially for internal penetration tests to have testing be performed during peak hours to capture any potential weaknesses that can be more easily identified while employees use their IT systems for everyday business. As an example, even though a bit exaggerated, would you restrict a vishing attack to the hours of the day when employees are not at their desks to answer their phones?
The recommendation here is to not restrict penetration tests to any time windows. If the fear for outages is there, communication with the penetration tester is key. Many of the testing activities performed in modern penetration tests should not result in any outages. However extra care can be taken on the side of the penetration tester. Specific Denial of Service attacks should not be performed unless approved by the customer on a system that will not affect their business. Additionally, a longer length of time for testing is more beneficial as the tester will have more time to identify weaknesses that may be present, especially for larger environments with many systems and services.
