Penetration testing is a security best practice for testing defenses and uncovering weaknesses in your infrastructure and applications, as well as a practice required by compliances such as PCI DSS. A penetration test doesn't stop at simply uncovering vulnerabilities: it goes the next step to actively exploit those vulnerabilities in order to prove (or disprove) real-world attack vectors against an organization's IT assets, data, and users. In a recent webcast, Jane Man, Wim Remes, and Matt Rider explored the 7 Questions to Ask Your Penetration Testing Vendor before choosing the one that will perform this important task and help you answer the question 'What is the real-world effectiveness of my existing security controls against a skilled, human attacker?'. So how do you tell the good penetration testing vendors from the not so good? Read on to find out the top 3 takeaways from this broadcast:
1) The Human Element is Essential -- Many scanners are great for identifying vulnerabilities, but penetration tests put the human x-factor into the mix to mimic the attacker mindset when looking at your network. Automated tools make these tests more efficient, but the tester will do manual work involving custom tools, scripts, exploits, etc. to get to parts of the infrastructure that may be otherwise overlooked or not examined too closely. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies are often vulnerable to the unique nature of the human mind, which can think laterally and outside of the box, can both analyze and synthesize, and is armed with motive and determination. So finding penetration testers with great experience and skill sets will be the most effective way to understand how well your organization is really set up to withstand attacks.
2) You Can't Be Too Thorough -- Bearing in mind that time is money, it's almost impossible to over-research your potential penetration testing vendors before choosing one. Ask each of them for in-depth details on methodologies and tools used in the field, as well as examples of past reports, penetration tester resumes, and references from organizations they've worked with in the past with similar scope or industry to yours. Make the vendors' penetration testers prove they can think outside the box and blend creativity and technical skills to simulate a realistic attack and uncover all of your infrastructure's critical weaknesses.
3) Be Prepared to Remediate -- Before choosing a vendor, be sure to discuss whether or not, and to what extent, recommendations will be made in the report. Don't assume that a pen test report will include detailed recommendations about how to mitigate or remediate every finding. Ask for a sanitized example of a report and review the recommendations. Are they written in a way that is actionable by your staff after the engagement? The purpose of a pen test is find weaknesses and resolve them Ð and the vendor should help you prioritize and be able to collaborate with you on the risk framework to ensure it takes into account your organization's unique needs. Make sure everyone from your board through to your security team is ready to provide skills and manpower to support remediation of the findings, as well as budget for any new software, services, or training needed.
To hear the 7 questions you should be asking each potential penetration testing vendor, and why-- view the on-demand webcast now.