Penetration tests are considered one of the best returns on investment for a security program because they provide verified, immediate, and actionable data to better secure your environment.
Not only are pen tests a valuable investment, but they are also a common step in building a strong security program. Many organizations need a penetration test at least once a year for regulatory compliance, while other organizations may seek a penetration test to demonstrate to their clients and partners that they have robust security measures in place.
Whatever your need, there is a myriad of providers and options on the market. Where do you start? Many providers offer solutions labeled “penetration testing”, but how do you find high-quality penetration test services from skilled professionals? Here are some tips from our cybersecurity experts.
Know the Difference: Vulnerability Assessment vs Penetration Test
A vulnerability assessment is a scan that produces a detailed list of vulnerabilities discovered by the scanner with a synopsis of the results, usually including recommendations for how to address these found weaknesses. A “findings review” call may be included, depending on the level of service offered by the provider.
A vulnerability assessment is not a penetration test. It is an automated scan for vulnerabilities in either external/internal networks or endpoints that does not validate the vulnerabilities, nor does it provide an in-depth review of the potential impact or likelihood of exploitation of those vulnerabilities should an attacker act on them.
At most, a vulnerability assessment will provide you with a ‘point-in-time’ snapshot of what is vulnerable on your endpoints and in your network(s). It does not try to exploit or gain access to sensitive information; it simply reports back the common vulnerabilities & exposures (CVEs) based on the scan’s discoveries.
This is not to say that vulnerability scanning is not a valuable tool. In fact, it is a great starting point for identifying what is open, exposed, or vulnerable in your environment and what remediations can increase your security. When seeking a penetration test, however, there is more that can and should be done beyond an entry-level scan.
A penetration test goes beyond a vulnerability assessment scan’s discovery and attempts to execute attacks on vulnerabilities found within the environment. This process is called exploitation. Exploitation can simulate a real attack from either an internal or external perspective, and it can be executed on a broad range of network and business assets.
When it comes to what vulnerabilities are considered for exploitation and how the exploitation is done, this is dependent on each business’ desired outcome – do they want internal and external testing, social engineering, web applications and wireless networks included? These are a few of the many questions that inform the scope and methodology of a penetration test.
The client’s commitment to compliance, or their desired level of reporting to third parties, is usually the primary factor driving the scope and design of the penetration test. Validating the successful remediation of security vulnerabilities, whether found through automated scanning or professional risk assessments, is also a common reason to perform a penetration test.
Penetration Tests come in a broad range of exploitation methodologies and scope options, as detailed below, so it is important to seek a service provider that matches your organization’s needs.
Understand the Types of Penetration Testing.
Penetration test providers vary – some specialize, some cover a large swath of the options available, and some only offer the basic testing methods like internal and external testing. It’s important to have an idea of what type of penetration test is best suited for your organization when seeking a provider.
- Internal Testing: This is a penetration test of the internal network environment, exploring the risk of lateral movement, exploitation, and data exposure if an attacker had gained access to the network.
- External Testing: This is a penetration test of external or public-facing servers and network devices such as firewalls, often used to demonstrate how successful an attacker might be at “breaking through” external security defenses.
- Cloud Penetration Testing: This is a penetration test specifically targeted at cloud-based environments such as Azure, AWS, or Google Cloud.
- ICS Penetration Testing: This is a penetration test of Industrial Control Systems like SCADA (Supervisory control and data acquisition) and PLCs (Programmable Logic Controllers)
- Mobile App Penetration Testing: This is a penetration test of Android or iOS applications.
- Web App Penetration Testing: This is a penetration test of web-based applications, either on hardware servers or in cloud services like Azure, AWS, or Google Cloud.
Identify the qualities of a good penetration test.
Now here is the bit you have been waiting for: how to ensure a quality penetration test? It starts with you. Providing details and being responsive to the salesperson, project manager, and pen tester throughout the stages of your engagement helps maximize the return on investment for your organization. Here are some qualities to look for when seeking a pen test provider, as well as some tips to ensure the success of your engagement regardless of the provider you choose.
Consider the certifications of the security engineers when choosing a penetration testing partner. You can ask what certifications the penetration testers hold, or what framework is used to conduct penetration tests. These are good starting questions to understand whether an organization is suited to provide the type of testing you are looking for.
While the value of certifications can be contested in the cybersecurity industry – with some industry experts and leaders in the community holding no certifications themselves despite their advanced knowledge and expertise – there are some great certifications to look out for when vetting service providers. These may include:
- Certified Ethical Hacker (CEH)
- CompTIA PenTest+
- GIAC Penetration Tester (GPEN)
- Offensive Security Certified Professional (OSCP)
- and more!
The ideal service provider for a quality pen test will demonstrate a commitment to balancing real-world experience with valuable industry certifications and training within their team of experts.
A good penetration testing company will properly scope the engagement by asking you what goals you expect to achieve and what your organization is looking to solve with a penetration test.
Being accurate about your testing environment will help the testing company align the best possible resources for the engagement. You will likely need to provide a list of IP (Internet Protocol) addresses or URLs (in the case of web application testing) to be tested. Review the information your provider requests and fill it out with the most current information you have to ensure accurate and effective testing.
Rules of Engagement (RoE)
An important document for both your organization and the tester is the “Rules of Engagement”. This document defines what is allowed and not allowed in the penetration test.
In this stage, rules will be set regarding allowing (or disallowing) actions like brute forcing, pivoting, writing to disk, or forms of social engineering. Note that depending on your service package, there may be add-on charges if you want on-site or other social engineering methodologies added.
The rules of engagement also define what networks, assets, or URLs are within scope and what is out of scope. For example, if you have an asset you do not want included in the testing but is on the same subnet of assets you are having tested, you would define that restriction in the scope and RoE.
Our top recommendation is to ask questions if you do not understand what options are available or what is included in your testing.
Ask your service provider about the reporting provided with their penetration test engagements. In all pen tests, the client should receive a compiled report of test results after the engagement is completed. Depending on the length of the engagement, it may take a week or more to produce after the active testing phase is done. Report formats will vary by company, but most will provide a sample or redacted report if you request one.
Another option to inquire about is a report review call. This is a valuable service that empowers you to pose questions to the tester, ask for details about the vulnerabilities found (such as the likelihood of exploitation and impact), and inquire about remediation information. If the testing did result in a successful exploit, ask questions on how it was accomplished, including how the vulnerabilities were exploited. These post-engagement conversations are a valuable resource to move beyond the written report and gain a deeper understanding of your security risk.
First, be attentive to what is and is not included in the penetration test and what is required from you to help facilitate the testing.
After the rules of engagement and the scanning authorizations have been signed and the project is prepared, be engaged in your project kickoff or pre-engagement call. This gives you, the project manager, and the tester a chance to converse about the test and clarify any questions you or the tester may have before things begin.
An important mindset note is to not treat the testing as “us vs. them.” Do not try to beat the tester by creating new obstacles or hardening your environment beyond the established security you regularly had in place. The tester’s job, and the purpose of a pen test, is testing your environment as-is to find out what is exposed or exploitable in your present-day security configuration. If you set up a honey pot and hardened firewall solely for the testing, but take down that security after the testing, you have done yourself a disservice in both the value of the penetration test’s findings and your lasting security posture as a result.
Lastly, be responsive during the testing. If there are requirements needed from your team for the tester to complete their testing, your timely response or assistance can greatly impact the outcome of the testing and the value of the results you receive. A good rule of thumb is to provide anything required from you (that was discussed during the kickoff or pre-engagement discussions) at least one week before the scheduled testing.
What about remediation?
Most penetration testing companies do not offer remediation as part of their penetration test services. In most cases, remediation of found vulnerabilities falls on the organization’s internal IT or security resources to fix. However, if you are working with a Managed Service Provider (MSP) that already manages some of your IT or security, or if your testing provider offers an as-a-service model with remediation included, remediation actions may be distributed in responsibility.
Some providers may offer remediation testing, which is an add-on service you can purchase as a built-in follow-up to your penetration test. With this option, the penetration testing provider will retest the reported vulnerabilities to see if they have been remediated successfully. There is usually a time limit on this option, such as 30-, 60-, or 90-day deadlines. It is also generally offered only once – i.e. a post-retest retest is not included, and would generally constitute a new penetration test entirely. With this in mind, we recommend that you have your remediation retesting done only once you are sure you have remediated found vulnerabilities to the best of your ability.
Get the value you’re paying for.
As a penetration test provider ourselves, we understand that organizations like yours are driven to comparison shop and rotate providers every few years for maximum value and ROI. We hope that using this article as a guide will help you identify a solution provider that meets your organization’s needs and leads to a positive pen test experience.
Just remember that the cost of the service will reflect the depth of testing and the value provided. The cheapest bid may land you with an automated vulnerability scan posing as a pen test, and your security program deserves better than that.
If you have a question about penetration testing for your organization or would like to get in touch with one of our penetration testers, reach out to our team!
Written by Chris Wright, Cybersecurity Engineer