Are you looking for a reliable penetration testing partner? Or, maybe this is your business's first experience with one? In either case, you're finally ready; however, you don't know what company to pick.
There are many questions to ask when hiring an external penetration testing company – Do they have the correct certifications? Are they experienced in your market? What is their testing methodology? With the evaluation of your business's cybersecurity posture in consideration, choosing a quality penetration testing firm is not something you want to get wrong.
However, by the end of this article, we will aid you with the correct information to find the best penetration testing partner for your business.
What is Penetration Testing?
Starting from the beginning, let's define what a "Penetration Test" is and the alternative services it is often confused for, such as "Vulnerability Scans" and "Compliance Audits".
A penetration test, also known as "Pentesting" or "Ethical Hacking" is a security assessment designed to help organizations identify, assess, and remediate their security vulnerabilities. While similar to the alternative mentioned services, those other services typically rely on vulnerability identification through automated tooling and are limited in their detection ability of a variety of security issues, such as business logic and access-control weaknesses.
Furthermore, automated tooling is ineffective at considering the environment of the vulnerability, lowering the actual severity and ultimate path to compromise a human attacker would see.
Penetration Testing however, goes mulitple steps beyond that:
- Automated tools are commonly used by penetration testing companies to act as a starting point for the actual security audit. Once the scanning is complete, a security tester will manually attempt to identify and exploit vulnerabilities through various techniques (even beyond the vulnerabilities listed in the scan results). This core manual analysis can take several days but is crucial for finding critical weaknesses that are often deeply embedded in a systems security posture.
- Penetration Testing heavily involves the use of a human behind the testing. The human factor provides a more realistic evaluation of your security from how an experienced attacker would view it.
- Manual pen-testing delivers a zero-false positive approach with verified POCs (proofs-of-concept). Automated testing will identify a restricted set of vulnerabilities. While helpful, it tends to fall short in its ability to provide reliable POCs as it does not always perform or incorrectly interprets the complete exploitation process resulting in frequent false positives.
How to select a quality Penetration Testing company?
When engaging a penetration testing company, there are several good practice rules to follow:
- The first is simple, trust the company you choose to hire. They will be accessing your business's most sensitive data and infrastructure as part of the test, so trust is paramount.
- The second rule is to select a company that specializes in penetration testing. While hiring a generalist provider who offers a "one-stop shop" approach to IT support might be convenient, some service providers will attempt to pass an automated scan off as a penetration test. Ensuring the provider has practical certifications such as OCSP, APTC, or GPEN will guarantee their testers have the necessary skill sets to perform a comprehensive penetration test.
- The third rule is to ensure the provider you're hiring has understandable processes and documentation defining their penetration testing methodology, rules of engagement, and assessment deliverables. While some of these may change throughout the test, you should feel confident in what you hired them to do, their ability to achieve that task, and be aware of all deliverables expected upon completion.
What questions should you ask a Penetration Testing company?
As a general rule of thumb, before engaging a penetration testing company, you must understand your objectives for a test, such as testing a new web application or network, securing intellectual property, or complying with a regulatory compliance requirement.
After you've defined your objectives, the penetration testing company will work with you providing options that best align with your goals. Some of the common questions discussed are:
- "Scope?" - Scope refers to the assets being tested. Increasing or reducing your scope will directly effect the completion time and cost of the penetration test.
- "Blackbox vs. Whitebox vs. Greybox" - The difference between Blackbox, Whitebox, and Greybox testing, as far as information goes, is what the penetration tester knows before they begin. In a Blackbox test, the tester starts without any information about the company or its technology. They must perform reconnaissance and gather enough information to proceed. Blackbox testing is most representative of what real-world attackers would do. Whitebox tests have complete access to all the necessary information: production configurations, source code, network diagrams – anything they need to know to be successful. Whitebox testing reduces time spent on reconnaissance and focuses more on active vulnerability identification and exploitation. Greybox tests merge Blackbox and Whitebox testing providing testers with some information to get them started, such as IP ranges for scanning purposes; but withholding more sensitive documentation, such as elaborate network diagrams.
- "Deliverables & Follow-Up Activities" - Ensure you clearly define the expected deliverables and any follow-up activities required by the penetration testing provider before the start of the engagement. In addition to the penetration test report, items such as automated scan reports or raw scan dumps should be requested as additional deliverables. Discuss follow-up activities such as how many rounds of validation testing and the level of remediation help provided post-engagement. If remediation help is strictly report based (textual vulnerability remediation documentation), ask for a report sample pre-engagement to confirm you're happy with the level of detail provided.
- "Testing Schedule" - While we try to avoid harmful disruptions to your business, potential impacts to in-scope assets are possible. It's important to schedule the penetration test to reduce system availability impact in the event a disruption happens. Questions such as "What hours are allowed for scanning?", "What hours are allowed for manual testing?", "Should testing only be performed on specific days?", "Should testing only be performed during non-business hours?". These answers are unique to your company and will assist with reducing the potential impact of testing disruptions.
Do you have more questions about penetration testing? Contact Parsysco Cyber today or request a quote.