Is it time for a penetration test? Maybe you are worried about the security of your most sensitive information, or are fulfilling your PCI DSS requirements. In either case, the time has come, and you may be scratching your head wondering, “How do I start? Who should I look for? What questions should I ask?”
What is Penetration Testing?
Let’s start by differentiating an actual “Penetration Test” from some commonly confused alternatives: Vulnerability Scans, Compliance Audits, or Security Assessments. These services identify vulnerabilities in your systems, often with the help of automated tools, but do not actually take into consideration the actual significance of these findings and how they may lead to a compromise. Penetration Testing goes several steps beyond these services:
Automated tools are simply a starting point for a Penetration Test. Afterwards, an ethical hacker will manually attempt to identify and exploit vulnerabilities through various techniques.
Because there is a human factor involved, penetration testing offers a more realistic “real-world” simulation of an attempted attack.
Automated tools check for vulnerabilities in individual systems, but an ethical hacker can chain vulnerabilities from multiple systems in order to compromise your overall security.
Upon uncovering potential weaknesses in your information security controls, an ethical hacker will thoroughly document steps to compromising your systems, often in a narrative format, and provide recommendations for enhancing security within your environment.
How do you select a competent Penetration Testing company?
When engaging a Penetration Testing company, you are essentially granting them a license to attempt to obtain access to your sensitive information. So the first rule is simple: trust the company you select. Before anything, you must entirely trust the resource or company you hire with access to the most sensitive information in your company.
Secondly, ensure that you are working with an experienced team; someone who goes beyond a VA scan. There is a large selection of companies offering penetration testing services that lack the general knowledge or expertise to deliver; this is why certification plays a significant part in establishing that a resource has skill. Practical certifications such as OSCP, OSCE, GPEN, GWAPT, GXPN are a must for any credible penetration testing resource. CEH is not a practical certification.
Beyond this, a penetration test is only as good as the actionable solutions that come out of it; it’s not just about finding out what the problem is, but also the solution. Ensure that the team you hire has defined processes and documents and are able to clearly explain how they develop their test plan, rules of engagement, and the final report. You should feel confident that you understand what you are hiring them to do, how they will do it, and what the deliverables are.
What Questions Should You Ask?
As a foundation, you must understand your requirements for a penetration test; to comply with regulatory requirements, to test a new application, to protect trade secrets, etc.
From there the team you hire should assist you by providing options to achieve your goal, and assisting in scoping out the project. Some details that should be discussed are:
Scope: The scope should not be so broad that the project can’t be completed in a timely, efficient manor, and should not be so narrow that it limits the consultant’s ability to simulate a realistic cyber-attack.
Blackbox vs. Whitebox: This determines what information the consultant will know at the beginning of the test. Blackbox means that the consultant does not have access to any information and must perform additional reconnaissance to obtain the necessary information to proceed; this type of testing is the most realistic but also the most time consuming. Whitebox means the tester will have complete access to any and all information they require all the way down to the source-code level meaning they spend less time performing reconnaissance and more time focused on exploiting vulnerabilities. Greybox is a blend of Blackbox and Whitebox and is the most cost-effective approach.
Recommendations: Before beginning an engagement, clearly define if recommendations will be provided, and to what degree of detail. Consider asking for a sample of recommendations, to ensure your happy with the level of description and guidance provided.
Scheduling: As with any type of testing, there is a potential impact to the availability of the systems in scope of test during the course of penetration testing, so it is important that you discuss what time penetration testing should be executed. During working hours? After hours? The answer is unique to each company and can assist with reducing the potential impact of testing.
Have more questions? Want to talk to a Penetration Testing professional? Contact Packetlabs today.