Penetration testing is a core tool for analysing the security of IT systems. Done well, it can tell you where your vulnerabilities lie, how well your existing protocols are working and what more needs to be done to lower your risk levels.
But it is not a one-size-fits-all solution – and as such, it requires proper commissioning.
This article will help you identify the most important considerations when writing a brief and the limitations of this type of cyber assessment.
It’s also important to acknowledge that penetration test results are just snapshots in time. The threat landscape constantly evolves, so what is working today won’t necessarily prevent an attack this time next year.
That’s why regular pen testing is recommended – and why getting the briefing process down to a fine art will be of long-term benefit.
Creating a Brief for a Penetration Test
Nobody knows your business quite like you do – and that’s important when you’re creating your pen testing brief. You know your system. You know your assets. You know what makes you a target.
This information, together with some insight as to why you are running the test, will be helpful for the testers and should be defined in the brief.
Think about the Scope
The penetration test scope defines the parameters of what is being tested. For example...
- Do you want your testers to assess the human element of your cyber security?
- Can employees be lured by phishing emails?
- Is everyone keeping their passwords safe?
- Has someone propped the back door open, etc?
Or would you prefer to leave that out of the equation and stick to testing the network?
Set Objectives
What do you expect the pen test to deliver? You won’t be disappointed with the result by setting your objectives from the outset. Need to prove regulatory compliance? Say so. Are you testing the defences in your IT department? Make that clear. Want a road map for future security planning? Ask for it.
Set Appropriate Budgets
By defining the scope and your objectives, you will help your testers create a quote. However, you still need to allocate the appropriate budget to the project while considering the scale and complexity of your requirements.
Determine the Right Type of Test
Four main groups of penetration tests exist: external network, internal network, web application and social engineering. Read up on what all this means here. The type you are drawn to will likely depend on your main areas of concern (perhaps your online app, or your employees).
A good pen tester will not be limited by the type of test you choose, but will use a mix of techniques to deliver a test that is tailored to your scope and objectives.
Trust your Testers
Penetration testing is just hacking for good instead of evil, so make sure you choose the right testers. We’ve written an article about what penetration testing certifications you should insist on, and we recommend you read it before proceeding with the project.
There are several different schemes designed to give you peace of mind. Some are even designed for specific industries.
Ask for References
Even if a company is certified, it doesn’t necessarily mean they are right for you. Ask for references and speak to the tester’s customers about their experience before choosing your service provider.
Be Prepared
The penetration test itself could impact ‘business as usual’. Define protocols for a service disruption, just in case. Carry out a full system backup before the test begins and allocate the appropriate personnel and technical resources for the duration of the test.
Limitations
Before going ahead with the test, remember that any penetration test has four main limitations.
- Penetration Testing Isn’t Magic – it doesn’t guarantee that you’re 100% secure
- Tests Are Time-Limited – both your system and the threat landscape are dynamic, so the test can only provide a snapshot in time.
- Anything Not Included In The Scope is Unseen – it’s unlikely that you would want to ‘hack everything’
- Humans Are A Weak Link – the human element (social engineering) is as important as technical infrastructure.