12:25 PM

Tech Insight: Getting The Most Out Of Third-Party Pen Tests

Tips companies can follow to be sure they get a pen test that meets their needs

Penetration testing has become a regular expense for organizations of all sizes. The common problem is that the pen-testing services are not one-size-fits-all, and companies seeking these services don't always know what to look for. For example, do they want a pen test or a vulnerability assessment -- and do they know the difference?

Because the reasons for procuring the test can vary greatly, knowing what they want and what to ask for might be easier. Sometimes the reason is the company is looking to validate the effectiveness of its security program. Often, it's being done to fill in a checkbox.

No matter the impetus, a company shouldn’t settle for a shoddy pen test (e.g., a vulnerability scanner report passed off as a pen tester's final report). There are a few tips that companies can follow to ensure they get what they want and expect from a pen test. These tips include understanding and having well-defined goals for the test, allocating necessary resources (e.g., IT support, test accounts) for the test, and choosing the right pen-testing firm to meet their needs.

Having clear goals at the start is one of the more common issues encountered by companies looking to acquire a penetration test. Often, a company will simply say, "We want you to break in," and while that's certainly one of the underlying tenets of a pen test, it's more of a disservice to both sides if that's the only goal. Pen tests should have well-defined goals that will ultimately help ensure the organization is well-protected against attack, with a final report that helps provide a road map on how to become more secure by fixing found deficiencies.

Not having well-defined goals can lead to poor project scoping, resulting in a false sense of security once a pen test is complete. For example, a new Web application that has been developed in-house that allows customers to access sensitive information over the Internet might be overlooked by a less thorough pen tester focused on simply "getting in" because there are easier targets. The company receiving the report might fix the exploited vulnerability and feel safe since the issue was remediated without realizing it's still exposed to attack.

One of the questions regularly asked by a pen-testing firm to help establish the goals of a pen test is what the worst-case scenario would be if the company were to experience a security breach. Depending on who is asked, the answer can vary, but most tend to center around revenue loss through system downtime, damage to brand through website defacement or publicly disclosed data loss, and loss of competitive advantage because of stolen intellectual property and trade secrets.

Answering that question can help the company and pen-testing firm work together to better design a test that will meet the needs of the company and present clearer goals for the pen testers.

Once the goals and details of the test are laid out, companies should allocate the necessary resources during the testing period for a successful partnership during the penetration test. This is an important tip because there needs to be someone available to answer a phone at 2 a.m. if an important service is taken offline, a high-risk vulnerability is discovered in a critical asset, or evidence of an existing compromise is found.

Tests involving scenarios like insider attacks, and testing of preproduction Web applications in testing environments typically need accounts created, firewall exceptions, or VPN credentials established prior to the test.

The unfortunate truth is these things don't always get taken care of on time and can introduce delays in testing that could cause problems for both parties. Having accounts, firewall and IPS/IDA exceptions and credentials prepared before work begins, and/or personnel on-hand to easily address issues as they arise will help the pen test run smoothly.

Our last tip is one that isn't much different than the process an individual might use in finding a new general physician or dentist. When seeking a pen test, companies should check around for recommendations. There's nothing wrong with CSOs and security team members asking peers and friends for advice. Having a solid, personal recommendation will go a long way in creating a solid relationship with a pen-testing firm that can last for years.

References can also be requested from pen-testing firms of past clients. Of course, references aren't likely to be included from those who've had negative experiences, but it will help companies get a better feel for the pen testers they are considering.

Part of the recommendation and reference process should include asking for sample reports from the pen-testing firm. Companies should avoid firms whose reports look like it a vulnerability scan report with the firm's logo stamped on top. Instead, companies should look for reports written with correct audience in mind and plenty of detail about the findings and their associated risks.

Ed Skoudis, a SANS senior instructor and a founder of InGuardians, a Washington, D.C.-based information security consulting firm, provides great advice to penetration testers looking to take their reports to the next level, which can also help in finding a quality pen-testing firm. He recommends that the findings include technical details on the vulnerability and risk to the organization, along with detailed mitigation recommendations and methods to validate the finding. (See the Vol 1., No 7 issues of PenTest magazine for more tips.)

Companies looking for a penetration test can get a quality test, but they need to be ready to put the time into choosing the right firm, knowing what they want to get out of it, and working with the firm to make sure both partners are happy with the deliverables in the end.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/19/2012 | 9:39:48 PM
re: Tech Insight: Getting The Most Out Of Third-Party Pen Tests
Great article and so true I would like to add, security and regulatory compliance are not equal,-áa number of organizations are learning that data security and data compliance may not be complementary, but competing priorities. Simply assuming that achieving data compliance equates to optimal-ácyber security-ácould be a misguided philosophy and leave you open for an attacks.My 2-¬ cents GÇô @gatoMalo2
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-02
Unspecified vulnerability in IBM Java 8 before SR1, 7 R1 before SR2 FP11, 7 before SR9, 6 R1 before SR8 FP4, 6 before SR16 FP4, and 5.0 before SR16 FP10 allows remote attackers to gain privileges via unknown vectors related to the Java Virtual Machine.

Published: 2015-07-02
IBM Java 7 R1 before SR3, 7 before SR9, 6 R1 before SR8 FP4, 6 before SR16 FP4, and 5.0 before SR16 FP10 allows remote attackers to bypass "permission checks" and obtain sensitive information via vectors related to the Java Virtual Machine.

Published: 2015-07-02
Unspecified vulnerability in IBM Java 8 before SR1 allows remote attackers to cause a denial of service via unknown vectors related to SSL/TLS and the Secure Socket Extension provider.

Published: 2015-07-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Published: 2015-07-02
fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report