How to be Certain You're Signing up for a Porsche and not a Lada
Following our blog, The Compelling Case for a Penetration Test, we show you how to navigate a crowded marketplace and select a penetration test provider shrewdly.
There are hundreds of companies in the UK offering penetration tests. As you, metaphorically speaking, hand over the keys to your organisation, how can you be confident your tester will apply the controls necessary to protect your sensitive data and IP?
And what, precisely, will you be paying for? Could it be a cheaper vulnerability scan masquerading as a penetration test? Will your report deliver clear, actionable insights to improve your organisation’s cybersecurity? Will your non-technical board members understand it, or will they need help to decipher its findings?
You’ll also want to see that your precious budget delivers value for money. Penetration testing is usually sold by the day, with a tester’s daily rate typically ranging between £600 and £3,000.
For the answers to these questions - and to avoid making a costly mistake, read on.
Penetration Testing Providers – What You Should Look For
Credentials and People
Providers that take the quality of their penetration testing seriously will demonstrate this by undergoing independent verification.
In the UK, this means allowing CREST - a not-for-profit information security standards authority - to scrutinise their testing and supporting processes. To maintain standards, CREST assesses its approved providers annually.
If you are in the public sector, or if you supply to government, look for a company accredited by the National Cyber Security Centre (NCSC) as a CHECK Green Light service provider. As with CREST, the NCSC CHECK scheme will reassure you that the provider’s penetration testing services have been measured against rigorous standards.
ISO 27001 certification is another quality standard to look for. The provider’s certificate should expressly state penetration testing services.
Ask your potential provider how its employees are vetted. Is this done by independent screening companies or in-house? Third party screening avoids bias. Include all personnel involved in the delivery of the test; don’t limit your enquiries to the tester alone.
Above all, this should include a criminal record check. If you are a government supplier, this should extend to verifying the government Security Clearance (SC) of individuals. If your needs require it, you may want to look for a tester with Developed Vetting (DV) clearance, over and above SC.
What’s the Difference between a Penetration Test and a Vulnerability Scan?
A vulnerability scan is an automated way of assessing computers, networks and applications etc. for security weaknesses.
While a penetration tester will also deploy tools, it is a skilful and involved human process. Your tester will apply their knowledge and experience and adopt the mindset of a determined cybercriminal.
Ask your potential provider for their penetration testing methodology or a summary of their process. This will ensure you are signing up for a comprehensive threat-based penetration test and not a vulnerability scan dressed up as one.
Scoping Your Penetration Test
To ensure your security objectives are met, your provider should furnish you with a scoping document; the blueprint for the penetration test. It should be plain and understood as to:
- What's being tested
- How it's being tested
- Why it's being tested
- Who is doing the testing
- Where and when the testing is taking place
Your provider will require assistance to set up your system or network in readiness for the test and notifying the relevant personnel. These requirements and prerequisites should be formally captured and set out in the scope document.
Your Penetration Test Report
Many penetration testers possess the skills to hack into most systems. However, they should also be able to communicate their findings clearly. A quality provider of penetration testing services will be open to sharing sample reports.
Key things to check:
- Is there a management summary directed at non-technical people? The results should not be limited to technical speak about the threats and vulnerabilities. Your report should enable your company to hold a wider discussion about risk and the impact of risk. It should help you to reach a measured decision about what vulnerabilities you’re prepared – or not prepared – to tolerate.
- Conversely, some reports describe vulnerabilities without any technical terminology. As a consequence, the value of the penetration test is lost on those in IT roles and who may have been able to act on more comprehensive information.
- Is there a technical summary giving an aerial view of the overall threat and vulnerability landscape for the target systems? Is it meaningfully set out?
- The threats your organisation is vulnerable to should be prioritised. This is sometimes done in tabulated form with a RAG (Red, Amber, Green) system.
- Are the vulnerabilities reported in sufficient detail? Is there enough information for you to understand the level of risk and impact? Are steps included to allow you to recreate them or is the provider hiding behind smoke and mirrors?
- Is there detailed remediation information? Is it customised to your environment, or is it a generic one-line statement along the lines of 'provider recommends you fix it'?
In our next blog, we look at the roles of red, blue and purple security teams, and the differences between them.