Penetration Testing: What it is, and choosing a Tester
Understanding Penetration Testing
Our pervasive reliance on technology today, including the internet, email, and mobile devices has triggered an alarming growth of cyber-crime. Businesses, the government, and individuals are scrambling to protect their valuable assets from these cyber criminals with a limited success rate. As new tools and techniques become commercially available to protect, the criminals up their game and invent new ways to break in, pillage, and destroy.
All organizations require a comprehensive security program that includes physical security, cybersecurity, and training that aligns with the objectives of the organization. This series of white papers will cover all aspects of a comprehensive security program.
What is Penetration Testing?
The penetration test is one component of the cybersecurity program. The penetration test is not the first, nor is it the largest part of the cybersecurity program, however, it is a critical component if you truly want your valuable assets to be secure. Once you have analyzed your network, understand the vulnerabilities, and have implemented security controls, you are ready for the penetration test. This will determine the effectiveness of the security controls that you have implemented. The way this works is, with all your security controls in place and your personnel on the alert, the penetration tester attempts to break into to your systems and extract the valuable information that you are attempting to protect. Penetration tests can be performed by automated tools that execute standard known attacks, but this method does not give you a real world look at the vulnerabilities that can be exploited by a skilled, human being that can think creatively and is armed with motive and determination. The real value of the penetration test is dependent on several factors:
The experience, skills, and tools of the penetration test team.
The level of effort employed in the planning stages to determine what the high value assets are and the attack vectors to be employed so that the appropriate resources may be applied to the maximum effect. It should be noted here that it is unfeasible to test every possible combination of attack vector, even on a small network, because the possibilities are endless.
The right balance between internal (white box) and external (black box) testing.
The ability for the penetration test team to take the results of the tests and convert them into actionable information with clear details of what the vulnerabilities really are and how to prevent the types of attacks that were effective in the test.
Choosing the right Penetration Test Team
When selecting a company or individual to perform penetration testing for your organization there are several things you should take into consideration, but the most important element should be trust. These individuals will be gaining access to your organizations most valuable assets. If not performed properly, with adequate controls for recovery if data is lost or damaged, permanent data loss is possible. Also, once the tests are performed, they will know how to gain access to those assets until necessary preventative controls are put in place. You must ensure that you can trust them. “If you find yourself not trusting either the integrity or the capability of a test team, walk away.
One significant mitigation to look for is whether a company holds a security clearance with one of the U.S. government branches. If the company holds a Secret clearance (ideally Top Secret) or higher, that means that the U.S. government has already investigated and trusted the company with their secrets, so you have at least one additional data point on the validity and integrity of the company.”i
Another important factor is how closely they will work with you and your organization. Communication is key to understanding needs and ensuring a successful project. Clear and informative reports and a willingness on the part of the Test Team to answer questions and explain any points of confusion is important. Face to face meetings when necessary should be expected.
Certifications give consumers an assurance of competency in the constantly changing world of information assurance. There are multiple certifications related to penetration testing that could be considered when vetting a potential vendor. As with the industry itself, the certifications are always changing, with new certs comes varying degrees of acceptance in the industry. One of the more widely accepted certifications is CompTIA PenTest+ii which is a globally recognized industry standard for Penetration Testing. Beyond the testing is the overall management of the Test Team by a certified professional. The Certified Information Systems Security Professional (CISSP)iii has proven that they have what it takes to effectively design, implement and manage a best-in-class cybersecurity program.
“The value you gain from a penetration test is largely dependent on your choices in who you trust as a partner, what degree of freedom you entrust them to operate within, and how they cater their reporting to your organization’s needs.”iv
A penetration test does not stand alone as a bastion of protection to your organization. Rather, it is an integral part of your complete risk management program. True security goes far beyond technical measures alone. Blackstone Systems, LLC can help you cultivate a culture of security mindedness within your organization that is continually improving and protecting.
i Forbes Magazine, October 2013 “What Is A Penetration Test And Why Would I Need One For My Company?” by Eric Basu
iv Forbes Magazine, October 2013 “What Is A Penetration Test And Why Would I Need One For My Company?” by Eric Basu