Regular penetration testing should be a key part of your security strategy but is dependent on the consultant or vendor delivering a test that will provide genuine, actionable results. Last time [insert hyperlink to part 1 here], we covered six key questions you should be asking any penetration tester, including checking their qualifications and methodologies. Below are six more questions we suggest posing to confirm if a tester is right for you.
How can you contact them?
As part of managing the risks of the test, you should be given a clear line of communication with the team to help coordinate. On rare occasions testing certain systems can impact services in unexpected ways. You must be able to speak to the tester quickly and establish if they are causing the issue, and if so get them to pause and re-evaluate the test.
Likewise, if you see some strange system activity, you need to be able to quickly confirm it is part of the test and not a coincidentally- timed real attack.
How can you complain?
This might seem overly pessimistic, but it’s an important thing to know. Pen testing is not without risks, so if something goes wrong, you’ll want a clear path for filing a complaint and resolving any issues. We’re members of CREST for example, so if we mess up, they’ll come and give us a talking to (so far, so good).
How do they rate risk?
The objective of a pen test should be to help you understand your current level of risk and give you a clear indication of what to do next. While many will present this as a severity rating, we find this isn’t as much help for prioritising remediation and prefer a risk rating instead.
This is determined by multiple different factors and is a bespoke analysis for each individual case. For example, something might appear high risk from a scan, but actually be behind a decent firewall or contain data of low importance, resulting in a lower risk score. This means two organisations with the same vulnerability could have drastically different risk ratings.
What will the end report contain?
Different practitioners will have their own approaches to how they report results to clients, and some may offer more detail or advice on remediation than others. You could ask prospective testers to share an anonymised example of one of their real reports to give you a good idea. Even this can be a good test in itself – we were once sent a sample report that failed to properly redact the client’s name – NOT something you want in a trusted security partner!
Will they remediate for you?
Some testers will offer to remediate any issues up front, while others will hold back unless asked specifically. We will gladly help if the client wants us to, but we choose not to advertise remediation as it can come across as though you're inventing problems to solve, which can damage trust. If you are expecting remediation action along with advice, make sure you ask directly.
How is your assessment data stored?
Data privacy and security should be a top priority for any organisation. Pen tests will naturally unearth some highly sensitive data about your network, so it’s important to know how the tester will be managing it after the fact. How long they will keep the data on file is important to know, and it can also be good to check where their servers are located to avoid any geopolitical or regulatory issues that may be at play.
If a consultant struggles with any of these sets of questions, the chances are they do not have the depth of knowledge or operational structure needed to deliver an in-depth test that will provide you with actionable results. If you’re shopping around, you could use these questions as part of your due diligence to help determine which provider will best meet your needs.
Head of Cyber Security, A&O IT Group
If you’re looking for a pen test partner to test these questions out on, get in touch.