Top 10 Considerations for Choosing a Penetration Testing Vendor

55% OF ALL SMALL AND MID-SIZED BUSINESSES HAVE SUFFERED A CYBERATTACK

Photo by alexsl/iStock / Getty Images

How secure is your network? When is the last time you tested your cybersecurity defenses? $38K is the average cost for a small business to overcome a data breach—why not take steps now to protect your systems, your employees, and your clients from a cyberattack? You cannot fix what you do not know. A penetration test strengthens your defenses by revealing your weaknesses and recommending prioritized fix actions.

This article contains ten items you should consider when selecting an organization to perform a penetration test against your environment.

1. Use Certified and Experienced Personnel

The penetration testing team should have appropriate penetration testing credentials, such as the EC-Council Certified Security Analyst (ECSA), Licensed Penetration Tester (LPT), Offensive Security Certified Professional (OSCP), or Certified Ethical Hacker (CEH). The team should also have penetration experience with multiple industries and different environments. Penetration testing can be like paying someone to set your house on fire to see if your sprinkler system puts the fire out. What happens if the sprinkler system fails and you cannot put the fire out? Can the penetration testing team stop the fire or "turn it off"? Make sure the penetration testing team has experience and knows what they are doing.

2. Deliver Clear Reports with Risk-Based Prioritized Recommendations

Reports should be easy to understand and include summary data for executives and detailed data for technical personnel. The penetration test report should contain a prioritized risk-based list of findings with detailed step-by-step recommendations. Any steps taken to exploit systems should include screenshots, where applicable. Your team should be able to reproduce the findings, given the steps in the report. The vendor should be able to provide sample, redacted reports. If you can't understand the report or take action on the findings, what's the point of the penetration test?

3. Perform Both Manual and Automated Testing

Automated tools do not detect all vulnerabilities and are prone to false positives. Manual methods must be used as part of the penetration test to fill in gaps left by the automated tools, eliminate false positives, and ensure test completeness. Both manual and automated methods should be used for every penetration test. Many penetration testing organizations run automated tools, such as an automated Vulnerability Scanning tool, then try to pass those results off as a penetration test. A penetration test should involve many tools and many manual techniques.

4. Follow a Documented Process

A well-defined documented process should be followed before, during, and after the penetration test engagement. Documented processes ensure completeness, accuracy, and test repeatability. The documented process is also often referred to as a penetration testing methodology. A methodology is often very high-level though and should include detailed steps.

5. Use a Rules of Engagement (ROE) Document for Clear Expectations

Rules of Engagement are designed to ensure everyone is "on the same page" and there are no surprises during the test. The ROE ensures clarity on test expectations by documenting agreed upon test parameters, such as times for the test, escalation procedures, targets in scope, targets out of scope, and limitations. The ROE document should be signed by you and the penetration testing vendor. It removes ambiguity from the test.

6. Communicate Clearly and Frequently

Routine communications during the penetration test should include when penetration testing begins and ends, what is being tested, whether any critical findings were discovered, any problems, etc. The communication frequency and medium should follow the agreed upon terms in the ROE. Clear communications is vital during the penetration test.

7. Demonstrate Professionalism and Respect

This should be an obvious one, but it is important to emphasize. The penetration testing team should remember the focus of the test is to help you secure your environment; not provide an environment for them to practice skills or try out new exploits. Continuing exploitation beyond what is necessary is bad practice. The vendor should be able to provide references from previous clients.

8. Identify and Eliminates False Positives

A false positive is when the penetration testing team tells you there is a vulnerability or a problem when there really isn't one. The penetration testing team should make every effort to eliminate false positives and label questionable findings. This is why manual analysis is critical. A report riddled with false positives wastes your time.

9. Offer "Retest" Options

Once you fix the penetration test report findings, it is critical to validate your remediation steps actually took care of the problem. Many organizations have taken steps to fix problems identified by penetration testers, but never validated the steps worked. The penetration testing team should offer an option to rerun the test after you remediate findings.  The last thing you want is to pay for a penetration test, take time fixing items, and then be hacked later on because you did not validate your fix actions.

10. Protect Your Data During and After the Test

The penetration testing team should follow a documented process to ensure your data remains secure. Penetration test reports often contain identified vulnerabilities, steps to exploit the vulnerabilities, cracked passwords, and other sensitive information. Reports should be labeled appropriately, handled with care, and distributed only to authorized personnel.

A single page PDF of this article can be found HERE.

If you have any questions or comments, please feel free to comment below or contact us.