You know that penetration testing is an important part of ensuring the security of your organization, allowing you to protect vital customer information and to secure your systems from attackers. Choosing the right penetration tester, therefore, is of critical importance. You want a penetration tester who will uncover critical vulnerabilities in your system and provide you with the information you need to increase your overall security.
Here are 5 key questions to ask your penetration testing provider:
1. Which certifications are held by your specialists?
There are many security certifications available for penetration testers. CEH (Certified Ethical Hacker) Accreditation, CISSP (Certified Information Systems Security Professional), CSSP (Certified Cloud Security Professional), OSCP (Offensive Security Certified Professional), LPT (Licensed Penetration Tester) and more: the list of acronyms can quickly grow overwhelming. Before choosing your penetration testign service provider, however, you should develop a reasonable idea of what certifications they hold. This will give you a better idea of what expertise is available in the office as well as what standards are expected of the company as a whole. You may also want to ask who will be conducting your test and what certifications are held, for example, by junior members of the team.
2. Which penetration testing methodologies do you leverage?
When you use a penetration testing service provider, you want to be sure that they’re going to put genuine effort and attention into the test. Ask about testing methodology, including such elements as OSSTM and OWASP. Chances are, you’re going to hear a lot of tech-speak, much of it incomprehensible unless you happen to have your own security experience. However, you want to know several key things:
- The company does have a plan in place for approaching your penetration test. They don’t come at it randomly; instead, they have a well-thought-out plan that allows them to effectively and methodically move through your systems as they seek out vulnerabilities. You also want to know that the penetration testing service provider will not mistakenly bring your system crashing down because they’ve run their scans with the highest settings enabled or included dangerous tools.
- The company uses a balance between tools and manual methods. If the company uses a tool alone, you’re paying out the nose for a test that you could have done on your own with a little bit of software–and chances are, they’re missing some of the key vulnerabilities that a hacker determined to get into your business would find.
- The company will approach both software challenges and potential vulnerabilities within your company as a whole. Depending on the type of test you’ve paid for, this may include your company’s most vulnerable element: your employees. This may include phone calls, emails, or even a simple social media scan of posts made by the company.
You also want to understand how the company approaches penetration testing as a whole. They might, for example, use the OSSTMM (Open Source Security Testing Methodology Manual) method: a peer-reviewed security journal that provides best practices for security companies. They might choose to use OWASP (the Open Web Application Security Project) to seek information gathered by security professionals around the world. PTES, or penetration testing execution standard, gives a specific set of standards to help penetration testers produce better results–and increase the odds that they will have the same results regardless of who conducts testing for your organization.
3. Is your test automated or manual?
While you want an approach to penetration testing that includes both manual methods and tools, most penetration testers use a variety of tools to help them identify potential vulnerabilities in your security. Automated tools are one of the most important elements to any pen test, and are usually used in the beginning to hep identify potential vulnerabilities. Testers don’t have to do everything by hand to get highly effective results–and in fact, those tests can help find many vulnerabilities the same way a hacker would go after them. Look for a penetration testing company that has an established repertoire of tools that they use to begin the initial stages of a penetration test–but who then turn to manual methods to finish their tests.
4. Which types of penetration tests are you well-versed in?
A high-quality penetration test will offer a wide range of information for your company. You want to know that your tester is covering the important details that will help you protect your company, so look for a company that has the types of penetration tests you’re most interested in. This might include:
- Network penetration tests, which test the functionality of your network and uncover any potential vulnerabilities within the network itself.
- Web application penetration tests, which ensure that your website and web applications are not vulnerable to cyberattacks and exploitations.
- Cloud penetration tests, which will take a look at the security of your cloud provider and ensure that there is no potential access to the database.
- Wireless network testing: Is your wireless network secure? Are there devices on your network that could allow access to your systems? Through wireless network testing, you can get a better idea of the security of your wireless network as a whole.
- Industrial / SCADA / ICS Penetration Tests will take a look at the security of the production chain, ensuring that the entire line is protected.
5. Will your tests impact our usual operations?
Penetration tests, in spite of their necessity, are still an attack on your system. In many cases, penetration tests can slow functionality of your system throughout the test or even, in the case of extreme vulnerabilities, bring your systems crashing down. You want to work with a penetration testing provider that understands the potential hazards to your company and will work with you to ensure that you can continue business throughout the test. You may also want to take this opportunity to advise your penetration tester about any legacy systems still in use within your company or sensitive areas that could disrupt your business. The elements covered by the tests can vary widely based on the project and the scope you’d like to focus on. By clearly discussing these elements of the test, you can better ensure that you know what to expect and that you are able to keep your business running smoothly throughout the testing process.
6. Do you outsource your projects?
When you work with a penetration testing company, you want to know who you’re working with. Ideally, you want a penetration testing company that does the work themselves, rather than outsourcing it to contractors. While contractors can be a valuable addition to any business, you don’t necessarily want them taking on the work of your pen test.
7. What does your report cover?
In your penetration testing report, you want to be sure you get all the information you need to close any vulnerabilities in your company’s security. You want a basic overview of the vulnerabilities that you can check out quickly as well as a more in-depth report that describes the extent of the vulnerability and how it could impact your company. A solid report also includes a risk assessment score that will give you a better idea of how dangerous those vulnerabilities could be and an action plan that will enable you to fix those vulnerabilities and protect your company and your customers.
8. Do you have an internal security policy?
You want your penetration testing company to have a strong focus on internal security. After all, they will have access to your private data. The last thing you want is for your penetration testing company to suffer a breach of their own, leaving your vulnerabilities more exposed to a potential hacker. You also want to know that members of the penetration testing team have undergone background checks or otherwise have high-security clearances since they will have access to secure data within your systems during the test.
9. Do you perform background checks?
You don’t want a penetration tester with multiple charges against them dealing with your sensitive data. Look for a penetration testing company that carefully screens the new members of their team before hiring.
10. Will you help me fix my vulnerabilities?
In addition to finding vulnerabilities, you want a penetration testing company that will help you achieve your security goals–that is, fixing those vulnerabilities and closing holes in your security. As you’re looking for a penetration tester, be sure to ask how they will help handle fixing your vulnerabilities, whether through advice or through the services they provide. Many security providers, especially as security companies make the move to larger companies, do not offer just penetration testing services. They will also handle part of the remediation, providing some of the security solutions that will help protect your business. This all-in-one solution can make it easier to protect your business.
When you’re ready to hire a penetration tester, make sure you’re asking the right questions. By including these ten questions as part of your screening process, you can increase the odds that you will find the right provider for your company.