12:25 PM

Tech Insight: Getting The Most Out Of Third-Party Pen Tests

Tips companies can follow to be sure they get a pen test that meets their needs

Penetration testing has become a regular expense for organizations of all sizes. The common problem is that the pen-testing services are not one-size-fits-all, and companies seeking these services don't always know what to look for. For example, do they want a pen test or a vulnerability assessment -- and do they know the difference?

Because the reasons for procuring the test can vary greatly, knowing what they want and what to ask for might be easier. Sometimes the reason is the company is looking to validate the effectiveness of its security program. Often, it's being done to fill in a checkbox.

No matter the impetus, a company shouldn’t settle for a shoddy pen test (e.g., a vulnerability scanner report passed off as a pen tester's final report). There are a few tips that companies can follow to ensure they get what they want and expect from a pen test. These tips include understanding and having well-defined goals for the test, allocating necessary resources (e.g., IT support, test accounts) for the test, and choosing the right pen-testing firm to meet their needs.

Having clear goals at the start is one of the more common issues encountered by companies looking to acquire a penetration test. Often, a company will simply say, "We want you to break in," and while that's certainly one of the underlying tenets of a pen test, it's more of a disservice to both sides if that's the only goal. Pen tests should have well-defined goals that will ultimately help ensure the organization is well-protected against attack, with a final report that helps provide a road map on how to become more secure by fixing found deficiencies.

Not having well-defined goals can lead to poor project scoping, resulting in a false sense of security once a pen test is complete. For example, a new Web application that has been developed in-house that allows customers to access sensitive information over the Internet might be overlooked by a less thorough pen tester focused on simply "getting in" because there are easier targets. The company receiving the report might fix the exploited vulnerability and feel safe since the issue was remediated without realizing it's still exposed to attack.

One of the questions regularly asked by a pen-testing firm to help establish the goals of a pen test is what the worst-case scenario would be if the company were to experience a security breach. Depending on who is asked, the answer can vary, but most tend to center around revenue loss through system downtime, damage to brand through website defacement or publicly disclosed data loss, and loss of competitive advantage because of stolen intellectual property and trade secrets.

Answering that question can help the company and pen-testing firm work together to better design a test that will meet the needs of the company and present clearer goals for the pen testers.

Once the goals and details of the test are laid out, companies should allocate the necessary resources during the testing period for a successful partnership during the penetration test. This is an important tip because there needs to be someone available to answer a phone at 2 a.m. if an important service is taken offline, a high-risk vulnerability is discovered in a critical asset, or evidence of an existing compromise is found.

Tests involving scenarios like insider attacks, and testing of preproduction Web applications in testing environments typically need accounts created, firewall exceptions, or VPN credentials established prior to the test.

The unfortunate truth is these things don't always get taken care of on time and can introduce delays in testing that could cause problems for both parties. Having accounts, firewall and IPS/IDA exceptions and credentials prepared before work begins, and/or personnel on-hand to easily address issues as they arise will help the pen test run smoothly.

Our last tip is one that isn't much different than the process an individual might use in finding a new general physician or dentist. When seeking a pen test, companies should check around for recommendations. There's nothing wrong with CSOs and security team members asking peers and friends for advice. Having a solid, personal recommendation will go a long way in creating a solid relationship with a pen-testing firm that can last for years.

References can also be requested from pen-testing firms of past clients. Of course, references aren't likely to be included from those who've had negative experiences, but it will help companies get a better feel for the pen testers they are considering.

Part of the recommendation and reference process should include asking for sample reports from the pen-testing firm. Companies should avoid firms whose reports look like it a vulnerability scan report with the firm's logo stamped on top. Instead, companies should look for reports written with correct audience in mind and plenty of detail about the findings and their associated risks.

Ed Skoudis, a SANS senior instructor and a founder of InGuardians, a Washington, D.C.-based information security consulting firm, provides great advice to penetration testers looking to take their reports to the next level, which can also help in finding a quality pen-testing firm. He recommends that the findings include technical details on the vulnerability and risk to the organization, along with detailed mitigation recommendations and methods to validate the finding. (See the Vol 1., No 7 issues of PenTest magazine for more tips.)

Companies looking for a penetration test can get a quality test, but they need to be ready to put the time into choosing the right firm, knowing what they want to get out of it, and working with the firm to make sure both partners are happy with the deliverables in the end.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/19/2012 | 9:39:48 PM
re: Tech Insight: Getting The Most Out Of Third-Party Pen Tests
Great article and so true I would like to add, security and regulatory compliance are not equal,-áa number of organizations are learning that data security and data compliance may not be complementary, but competing priorities. Simply assuming that achieving data compliance equates to optimal-ácyber security-ácould be a misguided philosophy and leave you open for an attacks.My 2-¬ cents GÇô @gatoMalo2
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-05-22
The administrative web interface in Cisco Hosted Collaboration Solution (HCS) 10.6(1) and earlier allows remote authenticated users to execute arbitrary commands via crafted input to unspecified fields, aka Bug ID CSCut02786.

Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.