Make Sure You’re getting a Porsche and not a Lada
Following on from our previous blog “A Convincing Argument for Penetration Testing”, let’s now look at how to successfully navigate a crowded marketplace and choose a penetration test provider shrewdly.
There are hundreds of companies offering penetration tests in the UK. When you hand over the keys to your organisation (metaphorically speaking), how can you have confidence your penetration tester will apply the controls required to protect your sensitive data and IP?
Also, what will you be paying for exactly? Careful, it might be a cheaper vulnerability scan and not a true penetration test at all.
Will the report you receive provide clear insights you can implement to strengthen your organisation’s cybersecurity? Will your non-technical board members be able to decipher it, or will they need help to understand its findings?
You’ll also want to evidence that your precious budget has delivered value for money. Penetration testing is normally sold on a daily rate, typically anywhere between £600 and £3,000.
For answers to the above questions, and in the interests of avoiding a costly mistake, please read on.
WHAT TO LOOK FOR IN YOUR PENETRATION TEST PROVIDER
Their Credentials and Employees
Serious penetration test providers, who provide a quality service, will evidence their expertise by undergoing independent verification.
This means allowing CREST, a UK non-profit information security standards authority, to ratify their testing processes and support services. CREST reassesses its approved providers each year in order to maintain high standards.
Look for a company accredited by the National Cyber Security Centre (NCSC) if you’re in the public sector, or if you supply to government. They should be a CHECK Green Light service provider. Like CREST, the NCSC CHECK programme will confirm the provider’s services have been scrutinised against rigorous standards.
Also, look out for ISO 27001 certification which is another trustworthy quality standard.
Important: The provider’s certificate should clearly say “penetration testing services”.
Ask your potential provider how they vet employees. Do they use the services of an independent screening company or do they do it themselves in-house? Screening by a third party avoids bias. Remember to ask about everyone involved in delivering your test, and don’t limit your due diligence solely to the tester.
Most importantly, vetting should include a criminal record check. If you’re a government supplier, this should include verifying the government Security Clearance (SC) of everyone involved in your test. You may want to find a tester with Developed Vetting (DV) clearance (over and above SC) if that’s relevant to your situation.
A PENETRATION TEST Vs. A VULNERABILITY SCAN – UNDERSTANDING THE DIFFERENCE
A vulnerability scan is an automated method of analysing computers, networks and applications etc. for security issues.
On the other hand, a penetration tester will also employ various tools in a comprehensive and skillful process. Your penetration tester will call on their experience and knowledge while adopting exactly the same mindset as a determined cyber-criminal.
Ask your potential provider for details of their penetration testing methods or a description of their process. This will guarantee you’re getting a thorough, threat-based penetration test – not just a vulnerability scan disguised as one.
THE SCOPE OF YOUR PENETRATION TEST
To make sure your security objectives are met, your penetration test provider should give you a scoping document. This document is the blueprint for your penetration test. It should be easily understandable and confirm:
- Who is doing the testing
- What is being tested
- Why it is being tested
- How it is being tested
- Where the testing will take place
- When the testing will take place
Your provider will need help to set up your network or system in readiness for your test and they’ll need assistance notifying all relevant personnel. These requirements should be formally captured and detailed in your scope document.
THE PENETRATION TEST REPORT
Penetration testers have the skills to hack into most systems, but they should also be able to report their findings clearly. A quality penetration testing service will readily share sample reports with you.
Key points to check:
- Are you provided with a management summary understandable by non-technical people? The results should not be confined to technical speak about your threats and vulnerabilities. A good report will enable your company to discuss risk and the impact of risk more widely. It should help you come to a measured conclusion about what vulnerabilities you’re either prepared or not prepared to live with.
- In contrast to highly technical reports, some reports summarise vulnerabilities without including important technical information. This means the penetration test won’t benefit those in an IT role who might have been able to take action on the more technical aspects of the findings.
- Do you receive a technical overview setting out the threat and vulnerability considerations for your target system? Is it set out in a meaningful way?
- All threats to your organisation identified should be prioritised. This is often presented in a table with a RAG (Red, Amber, Green) classification system.
- Are the vulnerabilities identified reported in enough detail? Is there sufficient information for you to understand your level of risk and potential business impact? Are details included that will allow you to recreate them or is the penetration test provider withholding information you should know?
- Is detailed remediation information provided and is it specific to your environment? Look out for generic one-line statements such as ‘provider suggests you fix X’.
In the next blog post in our series focusing on penetration testing, we’ll examine the roles of red, blue and purple security teams, and discuss the differences between them.