As we know, penetration testing, fondly known as “pen testing” is one of the best ways to visualize a computer system—and more importantly, all of its flaws and weaknesses as seen through the eyes of a potential attacker. Pen testing allows users and businesses to view their own digital landscape from an threat perspective—a bird’s eye view, if you will—by launching a simulated cyber attack against a friendly computer system and looking for exploitable vulnerabilities. As a security measure, pen testing enables companies to achieve various goals like avoid financial ruin, manage risk more effectively, protect their reputations in the industry, and much more.
Through The Eyes of an Attacker
Just trying to figure out how susceptible an organization and its digital infrastructure are to breach is no easy task. Hackers can be wildly clever, after all. But given the pressing importance of the challenge, anyone hoping to use a computer in a business environment really must take it on. As a result, many security consulting companies and Big Four auditors have started offering pen testing services to their clients. This specialized approach of “friendly attack” can be a great way to evaluate the security of information systems and determine their readiness for the real virtual world.
The objective of this third-party testing is to dig around in a system to find security holes, from online applications to supporting network landscapes to physical problems at the site. Unlike a simple vulnerability assessment, which only identifies weaknesses, a pen test will go the extra distance by actively exploiting any holes and establishing a deeper sense of what works and what doesn’t.
Pen testers then report all findings with complete honesty and transparency, as well as offer some realistic suggestions for how to boost security. And herein lies the main risk involved with third party pen testing—not all providers out there are 100% trustworthy. As a result, any organization looking to hire third party testers must review some essential points and critical questions before moving forward. The best way to do this is to thoroughly analyze the risks associated with both threat and vulnerability.
Here is the process all pen testers take when assessing a system:
- Planning and reconnaissance:
Define the goal of a test.
Locate systems to be addressed.
Find proper testing methods to use. - Scanning:
Use static analysis to inspect an application’s code to assess how it behaves while running.
Use dynamic analysis to inspect an application’s code while running. This allows for more practical scanning and offers a real-time view of overall performance. - Gaining access:
Use web application attacks like SQL injection, backdoors, and cross-site scripting to uncover weaknesses. Try to exploit these vulnerabilities by escalating privileges, stealing data, intercepting traffic, and such. This will provide information about how much damage they can cause. - Maintaining exploit:
Can the vulnerability be used to achieve an advanced persistent threat to a system, long enough for a hacker to gain deeper access? Given an attacker can hang out in a system for months before being detected, this is important information to have. - Reviewing results:
Use the results of this pen testing to compile a report noting specific vulnerabilities, the data that was accessed, and the amount of time spent without detection.
The Cheap Seats
It’s really not smart to skimp on pen testing, mostly because low-quality providers provide, well… low-quality result. This means a bad pen test, which is done without expertise or care, could inadvertently reveal sensitive information or even reveal, abuse, or lose valuable data found during the scheduled pen test.
Like all services, third party pen testers range from the ultra-secure and professional to the mediocre to the downright corrupt, so it is up to the client to conduct the proper amount of due diligence when hiring such providers. And then there is the matter of cost to consider, not to mention timeliness. High-quality providers should be able to report back to clients in an accessible, non-technical way that allows all facets of management to understand the findings. And it should be done quickly.
In most cases, employee actions factor into the efficacy of overall cybersecurity, so knowledge about pen testing results does not reside only with IT and security workers. It is just as important for Bill in accounting to understand the consequences of opening a strange email as it is for Jane in security management to visualize attack vectors.
The Ultra Safe Route
The truth is, outside vendors are more likely to find vulnerabilities, one the internal team hasn’t located. Doing your own testing is a bit like reading your own writing or listening to your own voice—you lose all objectivity after a while. And in this case, it can also lead to low-performing devices, potential downtime, or even a full-on crash of the system—and that all leads to unwanted disruption in business and profit.
Here are some things to look for in a good pen tester:
- Communication: A realistic scope outlined in a formal proposal. This step ensures both parties are on the same page and working toward a shared goal. For example, when the provider comes across a vulnerability in the system, should it just be recorded or actively exploited to confirm the finding? To avoid any misunderstandings, both parties must review and practices and agree upon how they will be carried out. The provider should also provide users with a single point of contact in case of emergencies.
- Timing: Get a clear sense of when the test is happening and how it can best avoid interrupting existing services is critical to a successful relationship between client and vendor. Defining this timetable may include delays to avoid times when the company is at work, or it may seek to intentionally run the test during operative hours to create the most authentic real-life scenario. Once the schedule is set, all parties should stick to it!
- Non-Disclosure: During a pen test, sensitive information—like client data, trade secrets, and personal details—often comes to light, which means service providers should be willing to sign a non-disclosure agreement promising to respect the privacy of the company and never, ever share these findings with other entities, or worse—sell them.
- Documented methodology: All third-party providers should be able to show clients their own, well-assembled testing methodology before work begins. Further, this documentation should make use of the commonly accepted manual known as Open Source Security Testing Methodology (OSSTMM). As a professional guide dedicated to a deep understanding of operational security and the interconnectedness of people, processes, systems, and software involved.
- Insurance: All pen testing providers should have liability insurance capable of covering the price of data loss or any other revenue-damaging effect. This piece should be clearly detailed in their “Terms and Conditions” which will inform clients what to expect in the event of an unforeseen testing incident.
Of course, there are many other factors to consider when choosing a third-party provider, including overall competence, success rate, meaningful representation, positive references, and technical support. So regardless of the challenges involved with finding the right service, the benefits make the whole endeavor entirely worth it—and really, non-negotiable.