Five questions to ask your penetration testing provider
How to choose the right provider for your penetration tests and security audits
If you are managing an information system (and there is a good chance that you are!), the information stored and processed by your company is at risk of being accessed by cybercriminals. It is now more essential than ever to test and safeguard your computer network.
As a penetration test is something that should be conducted at least once annually, and is a service that heavily relies on human intervention, you need to know as much as possible about the provider you have chosen and how competent they are to conduct the tests and provide the reports. These are five questions you need to ask to understand and evaluate the tools, methods and expertise of a penetration testing provider before you agree to give them access to your system and information.
1. How does penetration testing differ from other types of security testing, such as vulnerability scans?
Although you may already know the answer to this question, you should always ensure that your potential service provider is able to articulate the differences that make a penetration test unique. Beware of any provider that interchangeably uses the terms "penetration test" and "scanner", or claims that their penetration testing process is fully automated. The quality of your penetration test will be determined by the competence of the testing consultants and the methodologies and tools they employ.
2. Which methodology do you use for carrying out a penetration test?
Methods and techniques for penetration tests and security assessments vary depending on the service provider, but some basic operations are common to all providers. Even if a set methodology is not used, the provider should be able to deliver clear insight into the steps involved and the tools used during each step of the process.
3. Do your testers have certifications in offensive security?
It is important to know that the people who carry out the test are competent and up to date regarding security trends. Try to find out which certifications the team holds. There are a variety of certifications that demonstrate general knowledge on information security and technology, but auditors often have certifications from SANS (GIAC, etc.) or OSSTMM.
Pay particular attention to competence based certifications (including practical assessments as well as theoretical assessments) such as OSCP or OSCE (Offensive Security), which are becoming very popular amongst the information security community.
4. How will you protect my data during and after testing?
Try to identify how the service provider secures your data during the test and throughout the report delivery process. If you are able to check the workstations of the auditors, verify that full disk encryption is enabled, along with system configuration hardening. When it is time to deliver the final report, your auditor should also suggest a secure method for its delivery. Confidential data, including test reports and traces should never be sent via a plain text e-mail. Secure FTP or secure file-sharing sites using SSL can be used, as well as secure e-mails with encrypted attachments.
5. How will you ensure the availability of my systems and services during testing?
As penetration testing is a real attack against your systems, it is impossible to guarantee the availability of your services throughout the test. However, most testers should be able to know if a particular attack will weaken your system or crush a service.
You can also help your auditor by alerting them to any important or less robust systems on your network, including, for example, manufacturers’ devices which are known to be extremely sensitive to network attacks. The ideal provider will work closely with you to address operational concerns and monitor the tests and the status of the audited information system throughout the process.
Need help in choosing your tests and audits?
Find out more about our services:
Send us your comments
Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!