Tech Insight: Getting The Most Out Of Third-Party Pen Tests
Tips companies can follow to be sure they get a pen test that meets their needs
John H. Sawyer,
December 05, 2011
Penetration testing has become a regular expense for organizations of all sizes. The common problem is that the pen-testing services are not one-size-fits-all, and companies seeking these services don't always know what to look for. For example, do they want a pen test or a vulnerability assessment -- and do they know the difference?
Because the reasons for procuring the test can vary greatly, knowing what they want and what to ask for might be easier. Sometimes the reason is the company is looking to validate the effectiveness of its security program. Often, it's being done to fill in a checkbox.
No matter the impetus, a company shouldn’t settle for a shoddy pen test (e.g., a vulnerability scanner report passed off as a pen tester's final report). There are a few tips that companies can follow to ensure they get what they want and expect from a pen test. These tips include understanding and having well-defined goals for the test, allocating necessary resources (e.g., IT support, test accounts) for the test, and choosing the right pen-testing firm to meet their needs.
Having clear goals at the start is one of the more common issues encountered by companies looking to acquire a penetration test. Often, a company will simply say, "We want you to break in," and while that's certainly one of the underlying tenets of a pen test, it's more of a disservice to both sides if that's the only goal. Pen tests should have well-defined goals that will ultimately help ensure the organization is well-protected against attack, with a final report that helps provide a road map on how to become more secure by fixing found deficiencies.
Not having well-defined goals can lead to poor project scoping, resulting in a false sense of security once a pen test is complete. For example, a new Web application that has been developed in-house that allows customers to access sensitive information over the Internet might be overlooked by a less thorough pen tester focused on simply "getting in" because there are easier targets. The company receiving the report might fix the exploited vulnerability and feel safe since the issue was remediated without realizing it's still exposed to attack.
One of the questions regularly asked by a pen-testing firm to help establish the goals of a pen test is what the worst-case scenario would be if the company were to experience a security breach. Depending on who is asked, the answer can vary, but most tend to center around revenue loss through system downtime, damage to brand through website defacement or publicly disclosed data loss, and loss of competitive advantage because of stolen intellectual property and trade secrets.
Answering that question can help the company and pen-testing firm work together to better design a test that will meet the needs of the company and present clearer goals for the pen testers.
Once the goals and details of the test are laid out, companies should allocate the necessary resources during the testing period for a successful partnership during the penetration test. This is an important tip because there needs to be someone available to answer a phone at 2 a.m. if an important service is taken offline, a high-risk vulnerability is discovered in a critical asset, or evidence of an existing compromise is found.
Tests involving scenarios like insider attacks, and testing of preproduction Web applications in testing environments typically need accounts created, firewall exceptions, or VPN credentials established prior to the test.
The unfortunate truth is these things don't always get taken care of on time and can introduce delays in testing that could cause problems for both parties. Having accounts, firewall and IPS/IDA exceptions and credentials prepared before work begins, and/or personnel on-hand to easily address issues as they arise will help the pen test run smoothly.
Our last tip is one that isn't much different than the process an individual might use in finding a new general physician or dentist. When seeking a pen test, companies should check around for recommendations. There's nothing wrong with CSOs and security team members asking peers and friends for advice. Having a solid, personal recommendation will go a long way in creating a solid relationship with a pen-testing firm that can last for years.
References can also be requested from pen-testing firms of past clients. Of course, references aren't likely to be included from those who've had negative experiences, but it will help companies get a better feel for the pen testers they are considering.
Part of the recommendation and reference process should include asking for sample reports from the pen-testing firm. Companies should avoid firms whose reports look like it a vulnerability scan report with the firm's logo stamped on top. Instead, companies should look for reports written with correct audience in mind and plenty of detail about the findings and their associated risks.
Ed Skoudis, a SANS senior instructor and a founder of InGuardians, a Washington, D.C.-based information security consulting firm, provides great advice to penetration testers looking to take their reports to the next level, which can also help in finding a quality pen-testing firm. He recommends that the findings include technical details on the vulnerability and risk to the organization, along with detailed mitigation recommendations and methods to validate the finding. (See the Vol 1., No 7 issues of PenTest magazine for more tips.)
Companies looking for a penetration test can get a quality test, but they need to be ready to put the time into choosing the right firm, knowing what they want to get out of it, and working with the firm to make sure both partners are happy with the deliverables in the end.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.