There are a few key things you need to know before you talk to a potential penetration (pen) tester. For example, you should make clear goals, and think about potential outcomes. But, how exactly do you do all of that? Here’s how.
How to Set Goals
Most people don’t set goals properly. When doing a pen test, you should think about more than just breaches. You want to also know how to fix any security problems you find. So, a company like Sec-Tec Ltd might come in and do a test for you, and you’ll want them to show you not just the vulnerabilities but also the fixes that are required. You also want them to help you fix the problem.
Aside from problem resolution, you want to know what will be tested and what won’t. Maybe you’re testing an application but not your entire network. Do the testers know this? Can they accommodate your needs? Not all service providers can or will.
How To Avoid Miscommunication and Catastrophic Systems Failure
Every service provider should have strong communication skills. Unfortunately, it’s not something the IT industry is famous for. Ideally, your testers should be able to bounce back and forth between highly technical discussions and high level concepts or principles. They should also be able to relay information in “layman’s terms,” making good use of metaphors and analogies to help non-technical staff members understand the problems and solutions being presented.
You could have some of your management team “ride along” with the pen tester ask ask questions frequently. You want to know exactly what the tester is doing at all times. When the tester is attacking the server, someone within your organization should be communicating with the tester so that he or she knows what’s happening.
This is also good for progress reporting throughout the day, and it can help you determine where to allocate your resources if, for instance, your network will be shut down for a majority of the day.
Avoiding The Secret Sauce
Some consultants have a ‘Wizard of Oz” approach to testing. In other words, they tell you all about their service in somewhat vague terms, then do the testing without really showing you what they’re doing, and finally they report results to you.
But, disappearing behind a “black curtain” is rarely a good idea for any number of reasons. First, if the tester is using proprietary technology, it’s not going to be transparent. No one within your organization will be able to know whether the test carried out has any relevancy or applicability to your organization.
There’s no way for another company to come in and validate the results either. Your testers should have intimate knowledge of enterprise development framework, networking protocols, MiTM, ARP, spoofing, multi-platform system administration, password management, database systems, various scripting languages, and other security toolsets.
All of their knowledge should be industry standard and they should conform to third-party, independent, testing standards.
Reputation Of Your Service Provider
Hiring a pen tester might feel like you’re doing something very dangerous. In a way, you are. These people are breaking your security, exposing your company’s vulnerabilities. This is why reputation is everything in this business. All testers should have passed rigorous background checks, and have passed aptitude tests that show the individual is honest and unlikely to compromise your network for nefarious reasons.
Your testing company should be well-known, have spoken at industry conferences, and be well-regarded by other companies in the industry.
Richard Baker works as part of a corporate IT team and likes the chance to share his insights and ideas on cyber-security and related issues online. He is a regular writer for a variety of IT and computer industry websites.