Analytics
12/5/2011
12:25 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Getting The Most Out Of Third-Party Pen Tests

Tips companies can follow to be sure they get a pen test that meets their needs

Penetration testing has become a regular expense for organizations of all sizes. The common problem is that the pen-testing services are not one-size-fits-all, and companies seeking these services don't always know what to look for. For example, do they want a pen test or a vulnerability assessment -- and do they know the difference?

Because the reasons for procuring the test can vary greatly, knowing what they want and what to ask for might be easier. Sometimes the reason is the company is looking to validate the effectiveness of its security program. Often, it's being done to fill in a checkbox.

No matter the impetus, a company shouldn’t settle for a shoddy pen test (e.g., a vulnerability scanner report passed off as a pen tester's final report). There are a few tips that companies can follow to ensure they get what they want and expect from a pen test. These tips include understanding and having well-defined goals for the test, allocating necessary resources (e.g., IT support, test accounts) for the test, and choosing the right pen-testing firm to meet their needs.

Having clear goals at the start is one of the more common issues encountered by companies looking to acquire a penetration test. Often, a company will simply say, "We want you to break in," and while that's certainly one of the underlying tenets of a pen test, it's more of a disservice to both sides if that's the only goal. Pen tests should have well-defined goals that will ultimately help ensure the organization is well-protected against attack, with a final report that helps provide a road map on how to become more secure by fixing found deficiencies.

Not having well-defined goals can lead to poor project scoping, resulting in a false sense of security once a pen test is complete. For example, a new Web application that has been developed in-house that allows customers to access sensitive information over the Internet might be overlooked by a less thorough pen tester focused on simply "getting in" because there are easier targets. The company receiving the report might fix the exploited vulnerability and feel safe since the issue was remediated without realizing it's still exposed to attack.

One of the questions regularly asked by a pen-testing firm to help establish the goals of a pen test is what the worst-case scenario would be if the company were to experience a security breach. Depending on who is asked, the answer can vary, but most tend to center around revenue loss through system downtime, damage to brand through website defacement or publicly disclosed data loss, and loss of competitive advantage because of stolen intellectual property and trade secrets.

Answering that question can help the company and pen-testing firm work together to better design a test that will meet the needs of the company and present clearer goals for the pen testers.

Once the goals and details of the test are laid out, companies should allocate the necessary resources during the testing period for a successful partnership during the penetration test. This is an important tip because there needs to be someone available to answer a phone at 2 a.m. if an important service is taken offline, a high-risk vulnerability is discovered in a critical asset, or evidence of an existing compromise is found.

Tests involving scenarios like insider attacks, and testing of preproduction Web applications in testing environments typically need accounts created, firewall exceptions, or VPN credentials established prior to the test.

The unfortunate truth is these things don't always get taken care of on time and can introduce delays in testing that could cause problems for both parties. Having accounts, firewall and IPS/IDA exceptions and credentials prepared before work begins, and/or personnel on-hand to easily address issues as they arise will help the pen test run smoothly.

Our last tip is one that isn't much different than the process an individual might use in finding a new general physician or dentist. When seeking a pen test, companies should check around for recommendations. There's nothing wrong with CSOs and security team members asking peers and friends for advice. Having a solid, personal recommendation will go a long way in creating a solid relationship with a pen-testing firm that can last for years.

References can also be requested from pen-testing firms of past clients. Of course, references aren't likely to be included from those who've had negative experiences, but it will help companies get a better feel for the pen testers they are considering.

Part of the recommendation and reference process should include asking for sample reports from the pen-testing firm. Companies should avoid firms whose reports look like it a vulnerability scan report with the firm's logo stamped on top. Instead, companies should look for reports written with correct audience in mind and plenty of detail about the findings and their associated risks.

Ed Skoudis, a SANS senior instructor and a founder of InGuardians, a Washington, D.C.-based information security consulting firm, provides great advice to penetration testers looking to take their reports to the next level, which can also help in finding a quality pen-testing firm. He recommends that the findings include technical details on the vulnerability and risk to the organization, along with detailed mitigation recommendations and methods to validate the finding. (See the Vol 1., No 7 issues of PenTest magazine for more tips.)

Companies looking for a penetration test can get a quality test, but they need to be ready to put the time into choosing the right firm, knowing what they want to get out of it, and working with the firm to make sure both partners are happy with the deliverables in the end.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gAtOmAlO
50%
50%
gAtOmAlO,
User Rank: Apprentice
1/19/2012 | 9:39:48 PM
re: Tech Insight: Getting The Most Out Of Third-Party Pen Tests
Great article and so true I would like to add, security and regulatory compliance are not equal,-áa number of organizations are learning that data security and data compliance may not be complementary, but competing priorities. Simply assuming that achieving data compliance equates to optimal-ácyber security-ácould be a misguided philosophy and leave you open for an attacks.My 2-¬ cents GÇô @gatoMalo2
http://USCyberLabs.com/blog/
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6278
Published: 2014-09-30
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

CVE-2014-6805
Published: 2014-09-30
The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6806
Published: 2014-09-30
The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6807
Published: 2014-09-30
The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6808
Published: 2014-09-30
The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.