Given the number of vulnerabilities that have gone global in the past few years, enterprises can’t afford to keep relying on reactive security. Just hoping that an alert doesn’t go off isn’t a strategy. Instead, groups should embrace penetration testing.
For those unfamiliar with the concept, a typical pentest project consists of a pentester putting on their “evil person” hat and attacking a target, looking to infiltrate the organization in the way that a malicious party would. From there, organizations can see how much access a hacker could get, and what they could do to the environment if/when they got in.
To select a suitable pentesting solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Tonimir Kisasondi, co-founder, Apatura
Any penetration testing is a tradeoff between scope definition, number of issues found and allocated time and budget. With that in mind, how can you get the most out of a security review?
Do not constrain the scope. Real attackers don’t care about scope. Make sure that your security reviews aren’t limited to a very narrow set of assets, and that they cover all of your assets, infrastructure, applications and even processes. A hardened operating system and services won’t do you any good if an attacker breaches that custom developed web application. Or if a technical error brings down your database and you can’t restore your backups. Make sure your security review covers all of your assets.
Consider the depth of testing that should be performed. Use the test to verify that your detection systems can detect the attacks being performed, and that you can trace any potential errors or other ways your applications broke when there were actual knowledgeable experts attacking it.
Select the right approach to a security review. While a black box testing approach may provide acceptable results, a lot of issues can be found by looking at the source code or servers running your applications. When choosing a penetration test approach, consider which type of testing may provide you with the most useful type of feedback.
Daniel Martin, Founder, Security Roots
There are several key questions to answer before considering a pentesting solution or partner.
- What are your requirements?
- Why do you need a penetration test?
- What is the goal of the test?
If you cannot answer these questions, find external help to clarify your requirements before researching pentesting solutions or firms.
Establish your requirements and expectations. You need to know and ask for what you need help with – be it a pentest, vulnerability assessment, or security awareness training for your development team.
Examine the company background. Have they worked in your industry and research technologies relevant to your organization? Discuss their insurance coverage and legal documents upfront.
Once you’ve established requirements, ask each vendor to address them. It will help you understand their approach and understand their knowledge of the relationship between security and your business needs, including the tradeoffs involved in different assessment and remediation solutions and strategies.
Your vendor’s approach should align with your business goals. Ask for examples of similar projects they have undertaken, push for a sanitised report. The final deliverable should stand on its own, providing complete information about the project: a description of the scope, a high-level executive summary, and a detailed list of findings. It should include remediation advice and supporting information to validate the team’s work and verify mitigation after remediation.
Jim O’Gorman, Chief Content and Strategy Officer, Offensive Security
When arranging a penetration test, the most important question to ask is, what do I hope to accomplish from this? Whether your goal is to find and eliminate as many issues as possible in the shortest amount of time, meet a compliance mandate, simulate the actions of a malicious party that has targeted your organization to discover the “worst case scenario,” etc., communication with your service provider is essential.
Many of these goals will make some of the other goals not possible, so it’s important you pick your primary goal and focus on that. Clearly communicate what you need to the service provider and ask them what they can do to help you obtain that goal. If they have a single cookie-cutter approach to assessments that does not match up to your goal, they are not the provider for you.
Many customers start confused about what they want to accomplish – and they end up with whatever the service provider feels like giving them. Only you know what your organization needs, and it’s up to you to communicate them clearly and from the start.
Josh Wyatt, VP, Security Services, Rapid7
First things first, it is important to understand your business and your business risk. Working with advisory services can help identify the risks that your organization should address, and this risk assessment will help not only help identify what needs to be tested but also what needs to be prioritized.
Then, a plan of action can be designed, and this plan will have the organization’s assets and the penetration testing services that align with them. It is important to also know what is covered in the pentest solution and what is not. It is also important to understand how to take the pentest results and implement them across the entire organization.
Since penetration tests are limited in scope and time, they often do not identify all instances of vulnerabilities. So, the findings should be not only remediated, themselves, but they should be used as templates and hints to search for other instances where the vulnerability could manifest itself. Penetration testers do not work in a vacuum — the organization should be prepared to take an active role in its own security.