Think Your Organisation Needs a Penetration Test? Read This First
How to Make the Best Choice
Are you a pen test newbie? Or perhaps you arranged a cyber penetration test in the past and didn’t receive the service you expected. If so, this blog will help you.
FACT: Penetration testing isn’t cheap.
The day rate for a penetration tester ranges from £600 to £3,000 with travel and (potentially) accommodation on top. But let’s put this into context; you’d pay triple to avoid the blindsiding consequences of a successful criminal attack, right? And much more to recover from one.
And think about who you’re paying for; a highly trained, skilled and completely dedicated professional, who is:
- Highly educated, with at least a bachelor’s degree in a relevant field, such as computer science. Our head of penetration testing, for example, has a master’s degree in computation and did his final dissertation on public-key cryptography. Oh, and his socks match too.
- Has a stack of acronym-laden certificates, such as CRT (Crest Registered Tester), CCT (Crest Certified Consultant), and OSCP (Offensive Security Certified Professional).
- Is committed to continually honing their craft; as cybercriminals add more reprehensible tactics to their kit-bag, the good guys can’t afford to rest. Ever.
- Has undergone rigorous vetting: criminal record checks, security clearances, educational and professional certifications and employment records. Sock drawer audit – no. Frisking – only when our office manager takes a shine to them.
- Has years of experience in cybersecurity. Many security pros begin life in IT, which makes sense when you think about it; you can’t test something without a deep understanding of how it works. On top of time-served in IT, a junior tester will have 1-4 years of pen testing experience. Senior penetration testers will have at least 7-10 years under their belt. At Perspective Risk, the average tenure of our pen testers is 12.5 years.
- Has the soft skills; a good penetration tester often engages with non-technical business owners or execs. They must be able to translate complex technical information into meaningful advice. If they talk over people’s heads, they’ll get terrible feedback; a caring pen test company asks for this after every job!
- And most importantly, is generous with their knowledge and 100% sincere in their desire to help. Let’s be frank; some penetration testers can seem, well, a little egotistical;
These aren’t the types of people we employ at Perspective Risk.
A good tester isn’t motivated by showing off; their motivation lies in leaving your organisation in a better and safer place than they found it. At Perspective Risk, we seek to upskill at the same time and share our knowledge with the wider pen-testing community.
If you think you need a penetration test, but you’re just not 100% sure – why not get yourself one of our free cybersecurity assessments.
Three Crucial Questions to Ask Your Potential Pen Test Provider
But how do you know if the pen test provider you’re considering is the right one? By asking questions.
On top of the obvious ones around credentials, here are three vital questions:
Q1. Is the penetration tester actually employed by the provider? Some providers are purely sales fronts, reliant on hired hands. How do they mandate the ethics, quality and ethos of their contractors?
Q2. Can the provider furnish you with credible testimonials? Ask for case studies and recent references.
Q3. Is the penetration test you are being sold, manual or automated? A vulnerability scan uses tools. A penetration test uses tools and humans. The answer to this question will reveal if you’re getting a comprehensive, threat-based pen test or a vulnerability scan masquerading as one.
With hundreds of pen test companies to choose from, it can feel like a game of Russian roulette.
As we’ve already mentioned, pen testing is expensive. It’s critical you find a company that will do an excellent job for you, especially if you’re the one arguing the case and budget for it!
What to Look for in Your Penetration Test Report
Let’s take a minute to understand what an ‘excellent job’ looks like by remembering the point of a penetration test. It’s to identify the holes in your security so you can fix them before the bad guys slide through.
Your pen tester will hack your system using the same tools and tactics as cyber-criminals. The important deliverable is their report, here’s what it should contain:
- A management summary – that makes sense to non-technical people and helps you see your vulnerabilities in context with the likely consequences.
- Actionable advice – equally, your IT pros shouldn’t be left scratching their heads because the report – while listing what’s wrong – is thin on the technical know-how to fix things.
- Prioritised advice – if there’s a lot to remedy, you don’t want to feel overwhelmed. A RAG (red, amber, green) table is one neat way of conveying the priorities.
Ask for an example report and – if you find it wanting, you’ll have saved yourself a bunch of grief.
Our penetration testing buyer’s guide inspired this blog. You’ll find more valuable tips inside it, including a comprehensive checklist of things not mentioned here.
You can have penetration testing done across your IT environment. At Perspective Risk, we deliver network penetration tests, application penetration tests (regarded as the Achilles heel of security), wireless penetration tests and mobile penetration tests.
But hang on, you probably don’t have the deepest of pockets, and – like most of us – you need to allocate your resources wisely.
Well, as a reward for valiantly getting to the end of this blog, you’ve got another shot to grab your free cybersecurity assessment.
And just because it’s free, don’t think it’s not worth having!
You’ll be getting the time of one of our cybersecurity consultants, who will provide you with their tailored recommendations to improve your security. And no, they’re not on commission so their advice will be based solely on your best interests.