The UK's National Cyber Security Centre (NCSC) published guidance on July 1 based on insights from penetration testers who work with the agency. The testers were asked a simple question: what defensive measures make their jobs hardest? Their answers provide a roadmap for security teams looking to strengthen defenses against both authorized testing and real-world attacks.
Secure-by-design systems topped the list of effective defenses. According to the NCSC, this approach includes using threat modeling during development, mandating strong authentication methods (particularly phishing-resistant multi-factor authentication) for privileged users, changing default passwords in tools, and validating input data as early as possible. The approach also requires securely storing credentials, avoiding hard-coded credentials in software, and protecting sensitive data both at rest and in transit when unauthorized access risks exist.
Network segmentation emerged as another significant obstacle for penetration testers. Organizations can achieve this through high-level network design, VLANs, firewalls, or by managing users and groups with separate accounts for different network areas. The NCSC emphasized that operational technology (OT) systems must be separated from IT networks to prevent lateral movement and protect availability. Effective segmentation goes beyond simple separation, requiring organizations to control what crosses boundaries between zones, minimize exposed connections, standardize access routes, and use privileged access workstations for administrative tasks.
Quality logging and monitoring capabilities make attackers' work significantly harder, but only when implemented correctly. The NCSC stressed that even sophisticated logging systems prove useless unless organizations collect the right data and respond appropriately. This means security teams must move beyond passive data collection to active investigation of alerts.
The NCSC recommends that organizations build comprehensive incident response plans, communicate them regularly to teams, and conduct exercises to test their effectiveness. By implementing these penetration tester-validated defenses, security teams can create environments that resist both authorized testing and malicious compromise attempts.
Source: https://www.infosecurity-magazine.com/news/ncsc-tips-make-pen-testers-job/


