Many businesses rely on a penetration tester to make sure their IT security is tight. But, because of the human element, there are still some risks, even when a company’s technological defenses are great. Here are some ways to find a reputable tester to do the right job.
What Do You Need?
What is a penetration test, and do you need it? First things first. A penetration test is a technical and non-technical test designed to compromise your system, simulating an attack on your server. Pen testing usually consists of assessing vulnerabilities, using software or hardware (sometimes, a combination of both) to compromise systems, and then generating a report from the test.
Some tests even involve a social engineering aspect. Social engineering refers to the practice of compromising a system without using technological devices, or where software or hardware devices and systems are not the primary method used for compromising security.
Social engineering takes advantage of human psychological weaknesses to compromise security systems.
For example, a security analyst might pose as an IT staff member, or a rank-and-file employee, or even a delivery person. He may wait at the front or back door, holding a cup of coffee. When an employee comes to open the door, he will ask the employee to hold the door open for him.
Even when secured entrances are guarded, a pen tester may be able to gain access to a building.
Good penetration testing utilizes both technical and non-technical means to gain entry to a building or system.
OK, so, when should you have a pen test done? Any time you make a change in your server environment, any time you deploy a new application, anytime you update your website, or after a year has passed, you should have a pen test done again.
What Is The Analyst’s Process?
An analyst’s process varies by organization and, as such, pen testing differs from company to company. The testing methods across all companies, however, do share some similarities. For example, pen testers often use custom security software to perform tests. They may employ custom hardware solutions. In most cases, the analyst should be able to provide a straightforward outline of all of the steps involved and which tools will be used at each step in the process, however.
What Certifications Does Your Analyst Hold?
Your analyst should hold multiple certifications. It’s important to know that the individuals conducting the test are knowledgeable and capable of performing such tests. Unfortunately, this isn’t always easy to figure out.
While certifications are not a replacement for skill or experience, it’s generally a good indicator of at least education. There are a variety of certs that demonstrate knowledge in information security, including CEH, CISSP, GPEN, and GWAPT. Skills-based certs like OSCP are also good as they set a higher standard for security testing and training.
How Will The Tester Protect Your Data?
Protecting your data is also important. While you do want to know about vulnerabilities, you don’t want it to come at the expense of your data. Find out how the tester will secure your data during the test. If devices will be shipped to your company’s offices, or if testers will be visiting with their own laptops, they should ensure that disk-based encryption is used t protect any data they do obtain.
Any reports they generate should be delivered securely, preferably not electronically (especially if a vulnerability is found that could compromise the report on the server). Confidential data should never be sent via email. Only secure FTP or secure file sharing should be used.
How will The Tester Ensure The Availability Of Systems And Services?
Penetration tests are actual attacks against your company’s servers. It’s impossible to guarantee that uptime will be maintained throughout the test because of this. However, most testers do have some idea about how much of a burden it will be on your server, what is likely to bring your server to a grinding halt, and how long servers would be down if they are compromised.
Also, testers should have a good idea about how a particular attack will cause your system react, what systems are likely to “hang,” and any legacy systems which may operate slower than normal.
Your pen tester should work closely with your management team to figure out what systems will be operational, which systems will be down, and which ones will be unstable. From there, you can plan your operations accordingly. It may very well be the case that your entire network will be non-operational, or unreliable, during the pen testing process.
Working within a large IT team, Jayden Morley is keen to share his security knowledge with a wider audience. He writes for small-medium business blogs, giving tips on tightening up security practises and IT blogs with industry news.