Unquestionably, the Internet is a wonderful thing – it has opened up business links across the globe and given consumers competitive choice. However, now that you can buy products or services from anyone, anywhere, how do you know what you’re buying – and from whom?
This also applies to the field of cyber security. There are many different types of penetration tests and many providers, employing many more security engineers, each with a different skill set and experience.
So, it can be hard to know what to look for and how to compare different providers.
In this article, we’re going to talk you through some key things to look for when buying or comparing penetration testing services – to make sure you make the right informed choices.
In this article, we’ll objectively discuss some key things to consider when buying or comparing Penetration Testing services to ensure you make the right informed choices.
This is one of the most common questions we get asked and we suggest ISO27001 and CREST certification as the bare minimum.
The ISO standard means the organisation has been officially audited and its information security procedures match best practices published by the International Organisation for Standardisation. Since its publication in 2013, it’s become a requirement for anyone bidding for public sector contracts and is enjoying widespread uptake in the private sector.
CREST certification, by contrast, is much more specialist and is used by both individuals and organisations to provide Penetration Testing, cyber incident response, threat intelligence, and Security Operations Centre (SOC) services.
By looking for a CREST-approved provider, you’ll be safe in the knowledge that they subscribe to the latest industry best practices. You’ll also have the backup of an enforceable Code of Conduct should anything go wrong.
Once you’ve identified potential suppliers, ask them questions about their Penetration Testing methodologies.
The definition of Penetration Testing can vary widely between providers. Some will use qualified, experienced professionals using an array of up-to-date techniques to test your cyber defences. In contrast, at the other end of the scale, different providers might use automated software, such as a vulnerability scan.
This is very important because the completed penetration test report and any notes will document how the successful hack was conducted. It’ll essentially be a well-labelled treasure map guiding would-be hackers to your most valuable assets.
Ask how the report will be delivered, and in what format. Best practice is to hand deliver a hard copy of the report, to restrict potential access to digital copies.
Is It Easy to Understand?
Each vulnerability or exploit on the report should be risk-scored using a standardised framework, such as the Common Vulnerability Scoring System (CVSS). It should also contain a high-level, non-technical summary that is easily relatable to your organisation’s unique nature.
Remember, exposing security vulnerabilities is a good thing. It allows you to close the biggest security gaps, demonstrates diligence – and can help secure security budget allocation. So including a non-technical summary is highly desirable.
Look at how they handle remediation. It should be clear and actionable, with next steps outlined for each vulnerability uncovered.
The report should strike a balance between being easy to read for non-technical senior leadership and containing the necessary technical information for use within your IT department.
Make sure that the provider has taken the time to listen to what you want to get out of the test.
Very rarely do organisations commission penetration testing without knowing what they need. It might be that you’re launching a new website / web app, your IT infrastructure has changed recently, or your business has made a recent acquisition. You certainly wouldn’t want to compromise your existing perimeter defences if you plan to integrate a new network.
Look for detailed testimonials, and if you’re still unsure, ask to speak to a previous client.
Most companies would be glad to let you speak with a happy customer to discuss their experiences and give you additional reassurance. If you’re using industry-specific systems and software, does the organisation you’re looking at have prior experience working within those industries?
It is best practice to periodically rotate your pen testing providers or at least ensure you are using a different pen tester within the organisation. Individual penetration testers have different skills and strengths, and can also become stale if they already know the intricacies of the infrastructure. New exploits, techniques, and tools are constantly available, so a pen tester must work hard to stay current.
This one is more of a personal preference. Some organisations will tell you how they breached your system and then also offer consultancy services to fix the holes in your security, and others will stop at outlining how they did it. From a buyer’s perspective, some prefer to continue using a trusted supplier to provide security remediation services, and others would rather contract a third party.
The theory behind the third-party option is that if the same company manages your security and conducts your pen testing, it can be a little like marking your homework. There can sometimes be a degree of self-interest, but not always.
8 points to consider when you’re looking to procure Penetration Testing services. Given that Penetration Testing forms such a vital part of an ongoing vulnerability management strategy, you must be confident that it’ll uncover the most critical vulnerabilities lurking within your organisation’s environment.