Penetration testing is an essential activity for gaining a real understanding of your security posture and identifying vulnerabilities and attack paths that will fly beneath the radar of automated vulnerability scans. However, we often find that pen testing is solely treated as a box ticking exercise by many companies – something to be done once a year or so and then largely forgotten about. And unfortunately, there are all too many security consultants out there that will happily go through the motions and pocket the fee.
Below we’ve compiled some of the most important factors in getting real value out of a pen test – and the most important questions you should be asking prospective pen testing partners to ensure success.
What frameworks do they use internally?
You want your pen testers to be practicing what they preach and keeping their own business operations well secured. They should follow at least some form of certification or security frameworks such as ISO 27001 or NIST to guide their own internal security strategies. Depending on their size and resources they may be following different ones – ISO 27001 can be a bit pricey for a smaller start-up, for example.
Coupled with this, ask them what internal security assessments they carry out – we assess our own infrastructure at least once a month for example.
If they struggle to answer these questions about their own practices, they won’t be the best judge of yours.
What certifications do they have?
Being a good security practitioner requires a healthy dose of experience and intuition alongside official certification but knowing your team’s qualifications will tell you a lot about how capable they are. Ideally, pen testers should be armed with practical qualifications such as CREST’s CRT and OSCP. A more general qualification like a master’s in computer science is unlikely to be much use here.
What methodology will they be following?
Having a clear methodology is absolutely essential for successful pen testing. There are several different methodologies they might be following, including many popular open-source ones. OWASP (Open Web Application Security Project) is perhaps one of the best known, with others including OSSTMM (Open-Source Security Testing Methodology Manual) and ISSAF (Information Systems Security Assessment Framework).
Pen testers will typically be using a home-grown combination of different frameworks or might even have their own proprietary methodology that they have developed themselves.
Whichever way they go, they should be able to explain their chosen methodology and how it relates to your infrastructure. One thing to note, they might not be able to delve into too much detail from the get-go. They should know the main steps in terms of scope and exploration plans, but more specific activity will depend on what they find.
What are the risks?
Pen testing can be a tricky business. Properly assessing the potential for an attack often means actually going through the motions of one, which can be disruptive to your operations if care is not taken. Your pen tester should be able to tell you what risks they anticipate and what their mitigation strategy will be. Indeed, you shouldn’t really have to ask.
Whenever we encounter something that might cause an issue, we’ll stop and check in with our client first. If a pen tester just barges in, they could be as much of a threat as a real attacker, knocking crucial databases offline or disabling essential machinery in the middle of the workday.
How do they disclose vulnerabilities?
Sometimes during the course of an ordinary pen test, an analyst will stumble across a piece of public software that contains a previously unreported critical vulnerability. When this happens, they have a responsibility to disclose it to the software vendor so it can be patched before a threat actor discovers and exploits it. You’ll want to ensure that such an event doesn’t impact your own security, so it can be good to agree a process on how to handle it if it comes up.
Just what is a pen test, anyway?
Penetration test has become a bit of a generic term that is often applied inaccurately to other activity such as vulnerability assessments. To be on the safe side, ask a potential partner to explain what they’ll be doing and what you’ll get out of it to make sure you’re on the same page.
Automated vulnerability assessments are more about breadth, aiming to find vulnerabilities in all of the infrastructure included in the scope of work. Pen testing will go further and actually test these vulnerabilities to ensure the risk is genuine and not simply a false positive. Both feature the use of automated tools, but pen testing will move on from initial scans to focus on manual activity from security practitioners as they investigate potential vulnerabilities. In some cases, such as if the pen test is part of a larger red teaming exercise, the activity may be entirely manual. Here the team will seek to emulate a real attack and stealthily move past defensive solutions and security personnel without triggering the alarm.
Head of Cyber Security, A&O IT Group
Asking these six questions when reaching out to prospective pen testing partners will help you to understand how well they know their trade, and whether or not they are a good fit for your needs. Stay tuned for part two of this blog, where we’ll cover the best questions to ask around working together and manging expectations for the test results.