More than ever, Penetration Testing is essential for companies to assess their cyber security defences. As a critical part of an ongoing cyber readiness programme, you should periodically review your existing suppliers to keep your testing strategies fresh and ensure you achieve the best value and outcomes.
When evaluating or comparing potential suppliers, it is essential to ask the right questions to ensure a good fit for your business requirements. The Pen Tester must hold the necessary certification. It is experienced in the type of testing you’re after. Ultimately, you can be confident that you will receive the quality of service you demand.
Among other things, we highly recommend ensuring that your Pen Testing provider is CREST-approved. While there are other recognised bodies, CREST is the gold standard—a specialist organisation that regulates the security industry, helping to guarantee adherence to industry-standard best practices, and offering an enforceable Code of Conduct should anything go awry.
CREST certification means that you can be confident that your Pen Testing will conform to rigorous methodologies and up-to-date techniques. At the same time, operational safety will be given the highest priority.
Whilst CREST is the main certification to look for, there are other specialist certifications to look for, particularly if you’re in financial services or Critical National Infrastructure (CNI), as well as others.
When discussing certifications, also remember to ask whether the provider holds ISO 27001 certification—the essential standard for information security. You’ll want to ensure that the company you engage with will keep your sensitive data safe.
Broadly, this is guided by the requirements set forth by CREST, but the engagement process will vary among providers.
There is no ‘one-size-fits-all’ approach, specifically because every business has different infrastructures, challenges, and objectives. However, a competent specialist should be able to explain the different types of Penetration Tests and various hacking strategies, their purposes, and how they align with your objectives.
Pen Testing companies are using incorrect terminology and misrepresenting the actual service provided. Although it is described as a “Penetration Test,” a customer receives a vulnerability scan—an automated tool that scans their IT infrastructure for “known” technical vulnerabilities.
What’s the Difference Between a Vulnerability Scan and a Pen Test?
Finally, it’s worth asking about the supplier and the Pen Tester’s experience. Who’s your point of contact? Can you find out the relevant knowledge of your designated Pen Tester? Are they a good fit for your organisation? Will you deal directly with the Pen Tester, via a client account manager, or both?
Even if you have a detailed understanding of Pen Testing, you should still expect information to be communicated in plain English, rather than tech talk.
Be sure to request a sample Pen Test report, and as you review it, consider what you would like to see in a final report. Who will be consuming it? What’s their level of IT literacy? Look for clear and actionable advice for each identified vulnerability.
Importantly, risk-based scoring should be used for each identified vulnerability, using a standardised scoring system—usually the Common Vulnerability Scoring System (CVSS), an open-source industry standard for assessing the severity of security vulnerabilities.
CVSS assigns vulnerabilities a severity score so that you can prioritise responses (and resources) according to the threat.
You will also naturally see a report delivered in a clear, easy-to-read format suitable for both technical and senior management.
The Penetration Test is highly likely to uncover critical security vulnerabilities within your organisation’s environment, and the accompanying report will document, step-by-step, how they are exploited. Request details on how this confidential data will be kept secure and any steps taken to ensure its safekeeping. Consider how you want the report delivered and what the company recommends.
A CREST-certified Pen Testing provider must adhere to strict security controls regarding the communication of sensitive information, including how it is stored (encrypted) and delivered to the client (in person or hard copy format).
A detailed Statement of Work (SOW) for the actualisation test must document all of these details, so ask to see their documentation!
Suppliers will fall somewhere between offering broad advice, expert assistance with any corrective action required, or full remediation services. Whilst some providers feel this may be a conflict of interest, many will offer at least some assistance with remediation. It may be seen as self-correcting, but on the other hand, continuity, a trusted relationship, and full service are valued by many customers.
Ask for references. A successful and reputable company will have numerous satisfied customers to vouch for its services, even if the customers are naturally unable to disclose the type of work it carried out. You’ll get a good idea of the customer experience and be better informed when making a decision.
You should also want to ask about the individual’s profile, experience, and qualifications of the Penetration Tester who will be assigned to your project.