Top 10 Things to Look for or Avoid When Choosing a Pen-Testing Vendor
The penetration testing market is currently booming and will continue to do so; in fact, the international company MarketsandMarkets, a provider of quantified B2B research, has estimated a
growth from $594.7 million in 2016 to $1,724.3 million by 2021, at a Compound Annual Growth Rate (CAGR) of 23.7%. The explanation is simple. Pen testing is becoming a favorite for many businesses in response to the growing number of breaches they have suffered in the past few years. Penetration testing provider Alpine Security, for example, sets at 55% the number of small and mid-sized companies that have suffered a cyberattack. Looking at these figures, it is clear how there are huge opportunities across this industry, and it is normal that more and more pen testing companies are appearing in the IT security landscape.
Another factor driving the growth of the pen testing market is the strive for compliance. Many companies are required by law to adhere to industry standards and regulations (PCI, HIPAA, etc.…) that normally require the use of security assessment techniques like pen testing. However, what’s the point of penetration tests? Are they worth the investment? Moreover, above all, what should a business consider when choosing the best provider for its needs?
Why Acquire Pen-Testing Services? Internal or External Teams?
The objective of a pen test is to improve the level of resilience to risks so that one can monitor, control, and eventually manage breaches as well as minimize their impact on the organization as a whole. An organization cannot fix what it does not know, and penetration testing can help do just that, assessing the security posture of businesses by simulating attacks that closely resembles those that malicious hackers would carry forward.
Internal or external (third-party, outsourced providers) pen testers can ethically hack and evaluate the environment to test the organization’s security in a real-world way. The testers can validate security defenses before real attackers exploit critical systems and gain access to sensitive data. It is not just a mere vulnerability assessment that could be done using tools already available to many companies, but it is an overall check that makes use of the talent of IT professionals with experience in the modus operandi of malicious hackers. In fact, a vulnerability scan helps in recognizing issues by comparing system findings to a list of known vulnerabilities and is performed thanks to a variety of specialized technical tools; a penetration test is more a human-driven, manual process that implies the use of different techniques not all assisted by the utilization of software. Pen testers, for example, can employ social engineering methods apt at testing the readiness of a company’s staff.
Another way penetration testing can go beyond the help of technical tools, or the assessment of company’s IT security teams is by looking for out-of-ordinary security issues and provide suggestions on possible solutions that make sense for the organization and that are tailored to the risk acceptance levels decided by its management. This makes penetration testing an increasingly valuable necessity and explains why so many businesses have come to employ highly skilled ‘ethical hackers’ to help them secure their systems,
safeguard their networks and help prevent data loss. So how should a company address pen testing? The first choice a company needs to make is between internal and external teams. There are obvious pros and cons of both options.
An internal team is a safe option that opens the testing of networks to trusted members of the staff that are already familiar with the needs and requirements of the organization, the priority of management and the level of IT literacy of the staff. This is a safe option because, in theory, employees can assure a higher level of loyalty and therefore there are fewer risks in granting full access to the infrastructure. There are, however, clear pros, also in employing third-party teams.
The first thing to consider is the size of the organization. A small or medium-sized business might not have the possibility to hire additional IT security experts just with the scope of pen testing. Also, if using internal IT security employees, companies might miss out on the advantages of having a fresh, unbiased look at the networks and at the policies and procedures implemented in the organization. While an internal team, might involuntarily (or even voluntarily) become complacent or overlook possible issues, a professional, specialized external team could provide a detached look at the entire infrastructure and bring new suggestions or updated testing methods.
It is obvious that trust is an issue. Outsourcing implies giving access to systems and data to a team of people who have no ties to the organization. Levels of access can obviously change and vary according to the type of assessment requested, but still outsourcing to a third-party requires much trust in the vendor. Therefore, there are a number of considerations a business needs to make to choose the best pen testing company for its needs.
What to Look for or Avoid When Choosing a Pen-testing Vendor or Provider
1. Make certain the staff is experienced and highly trained
This is obviously one of the most important considerations. When vetting a potential pen test vendor, it is beneficial to find a provider who hires trained and experienced pen testers. Staff, for example, would hold at least one of the following industry-recognized professional certifications: CEH, GPEN, GWAPT, OSCP, OSCE, or SANS GXPN. It is also beneficial to ask what type of experience the company looks for when hiring and what type of ongoing training and development opportunities are offered or required.
2. Safety first
In addition to knowledge and experience, it is important also to inquire of mechanisms the company has in place to ensure the trustworthiness of its employees. Are background checks performed at hiring? Does a company have a program for continuous security recertification? Pen testers will have access to the company’s inner infrastructure secrets and some type of screening and vetting is a minimum requirement.
3. Choose a company that is open about all aspects of their work
When outsourcing to a penetration testing services provider, organizations need to assure the chosen vendor follows an industry-accepted penetration testing methodology. The team needs to provide a clear statement of work that highlights testing limits, time of engagement, tools and methods employed, privacy concerns, procedures related to data access, along with reporting expectations and requirements. Make sure the services the company can provide correspond to the needs of the organization. If, for example, you expect not just an assessment of the organization security posture but also clear recommendations, ensure the vendor is reliable in their service offerings and can confirm their findings through written documentation or verbal communication that highlights step-by-step the methodology used which can offer reproducible results and can provide realistic solutions.
4. Make sure the company is up-to-date in their methods
There are many types of penetration testing to conduct and companies can provide
different services altogether, employ a number of pen test tools for various platforms and frameworks that can be custom tailored to different environments. It is important to do their homework first. Make sure to rely on the help only of companies that can prove their updated knowledge through certifications, credentials and adherence to standards. Check they are using also the newest commercial penetration testing tools and techniques during security assessments.
5. Ensure the preparation of a detailed agreement
Define a clear time period when the vendor will do the testing of your network or application while also mentioning what systems will be declared “off limits” during testing. It’s important to mention the turnaround time for each test to determine if a third-party penetration testing company can meet your on-demand needs. Use a Rules of Engagement (ROE) document to be signed by the penetration testing vendor and the client to ensure clarity on test expectations.
6. Data security
Before entrusting sensitive data to a third-party, regardless of all assurances received during the contract negotiation phase, it is important to specifically enquire about the handling of data: how are they transmitted, stored, and disposed of. How long are records retained? Has the company itself ever been hacked?
7. Confirm the company has liability insurance
A company with insurance offers additional protection. It is important that, in case problems occur, vendors have liability insurance and can remedy to any loss incurred as a result of their testing and intrusions attempt. Make sure also that the pen testing vendor carries an insurance that is sufficient to cover the potential loss that might be caused if any data is leaked or compromised in any way.
8. Check the vendor’s reputation
Just as for any other services, also pen testing should be requested through companies with a proven track record and with a reputation in the field. Check references, check consumers’ reports and, if feasible, check with prior clients just as you would do for any other important purchase. Granting access, even when limited, to a third–party to the company infrastructure or data is always a risk. Is the vendor known and respected in penetration testing or vulnerability research domain? If nothing is mentioned on the internet within the InfoSec community, even that is a red flag!
You don’t necessarily need to avoid a pen testing company who boasts about been experienced in any possible environment and testing scenario. However, there are so many different combinations on the plate that it is nearly impossible for a technician to be well versed and highly experience regardless of the type of infrastructure the company has. It is important then to discuss early in the game the type of systems, software and setup the pen testers will have to deal with and evaluate the real-world degree of experience that the pen testing company can demonstrate with similar configurations. Strive for specialization.
10. Beware of highly-technical jargon
Pen testing can be highly methodical but if management is inundated with technical jargon when discussing pen testing procedures to be applied or are receiving reports incomprehensible for the layman then there might be a problem. The ability to communicate difficult concepts in a way that even non-technical executives can appreciate and take action appropriately is one of the most sough-after skills of pen testers. Look at sample reports, ask questions and evaluate how nebulous the answers are. Look for clarity and shy away from smoke thrown in your eyes.
There is no question that penetration testing is a critical component of securing companies’ information assets. Whether performing pen tests on a regular basis or as part of compliance audits, it is a practice that can help increase awareness in any organizations about potential security breaches. This is the key reason to acquire penetration testing services. Pen-testers can identify an organization’s weaknesses by using the same methods an attacker would. “As cyber threats continue to grow, so does the need for competent Ethical Hacking and Penetration Testing professionals,” tells InfoSec Institute. Choosing the right vendor is then an essential exercise, and companies need to evaluate a number of important aspects before entrusting their systems and data to external entities.
Ahmed, N. (2015, December 10). Top 3 Things To Look For In A Penetration Test Vendor. Retrieved from https://trushieldinc.com/top-3-things-to-look-for-in-a-penetration-test-vendor/
Alpine Security. (2017, September 30). Top 10 Considerations for Choosing a Penetration Testing Vendor. Retrieved from https://www.alpinesecurity.com/blog/2017/9/30/top-10-considerations-for-choosing-a-penetration-testing-vendor
Basu, E. (2013, October 13). What Is A Penetration Test And Why Would I Need One For My Company? Retrieved from https://www.forbes.com/sites/ericbasu/2013/10/13/what-is-a-penetration-test-and-why-would-i-need-one-for-my-company/#10de46d418a0
Brecht, D. (2016, November 30). Pros and Cons in Penetration Testing Services: The Debate Continues. Retrieved from https://resources.infosecinstitute.com/pros-and-cons-in-penetration-testing-services-the-debate-continues/#gref
DigiCert. (2014, September 29). Intro to Penetration Testing Part 3: It Could Happen to You. Retrieved from https://www.digicert.com/blog/it-could-happen-to-you/
Dorais, S. & Ravaioli, A. (2014, July 29). Planning and Managing a Penetration Test Project. Retrieved from http://festa-marketing.blogspot.it/2014/07/planning-and-managing-penetration-test.html
Downton, B. (2013, August 8). Testing Times: the importance of the right mix. Retrieved from https://www.mwrinfosecurity.com/our-thinking/testing-times-the-importance-of-the-right-mix/
Embers, R. (2013, August 13). Penetration Testing: A Preventative Security Control. Retrieved from https://www.dionach.it/blog/penetration-testing-a-preventative-security-control
Goicochea, T. (2015, December 10). Top 3 Things To Look For In A Penetration Test Vendor. Retrieved from https://trushieldinc.com/top-3-things-to-look-for-in-a-penetration-test-vendor/
Harris, S. (2005, August). How security audits, vulnerability assessments and penetration tests differ. Retrieved from http://searchsecurity.techtarget.com/answer/How-security-audits-vulnerability-assessments-and-penetration-tests-differ
High Bit Security, LLC. (2017, May). Penetration Testing Companies and Vendor List. Retrieved from http://www.highbitsecurity.com/penetration-testing-vendor-list.php
Hoffman, C. (2013, April 20). Hacker Hat Colors Explained: Black Hats, White Hats, and Gray Hats. Retrieved from https://www.howtogeek.com/157460/hacker-hat-colors-explained-black-hats-white-hats-and-gray-hats/
Intrinium. (2016, August 19). Should You Hire a Hacker? Penetration Testing is an Effective Way to Assess Your Business’s IT Security Risk. Retrieved from https://intrinium.com/should-you-hire-a-hacker-penetration-testing-is-an-effective-way-to-assess-your-businesss-it-security-risk/
Lexi. (2016, July 14). How To Conduct PCI Penetration Tests for Security & Compliance. Retrieved from https://www.tracesecurity.com/blog/how-to-conduct-pci-penetration-tests-for-security-compliance#.WoK1VkxFyUk
Lowery, J. (2002, February). Penetration Testing: The Third Party Hacker. Retrieved from https://www.giac.org/paper/gsec/1643/penetration-testing-third-party-hacker/103005
Miessler, D. (2017, November 8). Information Security Assessment Types. Retrieved from https://danielmiessler.com/study/security-assessment-types/
Murashka, U. (2017, October 15). Vulnerability assessment vs. penetration testing. Know who is who. Retrieved from https://www.scnsoft.com/blog/vulnerability-assessment-vs-penetration-testing
Singh, A. (2017, March 19). How to choose your Security / Penetration Testing Vendor? Retrieved from https://www.firecompass.com/blog/choose-penetration-testing-vendor/
Symantec Corporation. (n.d.). What is the Difference Between Black, White and Grey Hat Hackers? Retrieved from
Tittel, E. (2003, April 21). Protect your data by hiring the right penetration test vendor. Retrieved from https://www.techrepublic.com/article/protect-your-data-by-hiring-the-right-penetration-test-vendor/
Wilkinson, C. R. (2015, December 3). Vulnerability Assessment vs. Penetration Test: The Pros and Cons. Retrieved from https://www.crowehorwath.com/cybersecurity-watch/it-data-security-test/
Zorz, M. (2016, September 1). It pays to be a penetration tester, the market is booming! Retrieved from https://www.helpnetsecurity.com/2016/09/01/penetration-testing-market/