Organisations of all shapes and sizes are grappling with the challenge of cyber security. The business landscape is evolving quickly. Digitalisation has become a mainstay and companies are producing – and storing – more and more sensitive data in lots of online locations, including their own web applications, on supplier platforms, in the cloud, and beyond. This increases the ‘attack surface’, meaning attackers have more locations and sources to target when trying to access a target’s data. Our senior security consultants Alex Harper and Marcus Chambers also answer some important questions for choosing a penetration testing provider in a post-pandemic, hybrid working world. You can read the article here.
At the same time, cyber attacks are also becoming more sophisticated and stealthier – just look at the recent Kaseya ransomware attack. With more endpoints, more data, and more infrastructure, the potential for security vulnerabilities being inadvertently revealed or malevolently exploited is growing – and must be assessed and managed. This is where penetration testing becomes essential.
What is penetration testing?
Penetration testing can be defined as a point-in-time security assessment, where a suitably skilled tester uses a combination of tools and manual exploit techniques to uncover real-world security vulnerabilities in your IT infrastructure. Whereas a vulnerability scan identifies weaknesses using automated tooling, a penetration test goes much deeper. It tests exploits, using a combination of tactics and techniques, to get to grips with the security strengths and weaknesses of your systems.
Regular penetrating testing is essential to managing and mitigating cyber security risks. When carried out properly, these tests help you to improve your cyber security posture and give you the knowledge to fix security weaknesses within your systems.
Furthermore, in the case of supplier relationships, penetration tests are increasingly mandated before anything is signed on the dotted line. Likewise, well-known security standards like PCI DSS, policies within ISO 27001 ISMS and regulations such as the UK GDPR may necessitate regular penetration testing and security assessments for security assurance and resilience.
For a deep overview of penetration testing and the different types, read our guide here.
Can I carry out my own penetration tests?
In a word ‘yes,’ but there is often a very big difference between the skills and experience of an in-house tester versus those of a security consultant working for a CREST accredited penetration testing provider. By nature, this field is highly technical and complex. The methods used involve technical know-how, up-to-date knowledge and testing experience. This can make penetration testing daunting for organisations to carry out internally.
For this reason, many organisations look to third party penetration testing partners because they can:
- Offer experienced, technical penetration testers who have a deep understanding of the discipline
- Carry out independent, industry-accredited assessments that provide assurance to suppliers
- Perform a varied range of tests, such as internal or external, black box or white box and so on
How to choose a penetration testing partner
A good third party penetration testing partner will guide you through the process, and provide helpful reports that enable you to understand and improve your company’s security posture. The challenge for many organisations, though, is finding the right supplier.
Step 1: Establish your needs
Before choosing a penetration testing provider, you should first establish a baseline understanding of your needs, such as your testing requirements, a budget and your objectives. This is essential to ensuring you procure the right provider.
It’s important to remember that penetration tests are not a tick-box exercise. If a provider has an offer that is too good to be true – in terms of both time taken and cost – then you should be cautious. Quality penetration testers may be more expensive, but the value they bring will be far superior and useful for your company. Some organisations offer ‘penetration testing’ that is little more than a glorified vulnerability scan – which might be why they seem cheap.
Step 2: Find a long-term, quality supplier
Once you have defined your requirements, it’s time to start the procurement process. When shopping for suppliers, you should look for a provider you can build a long-term relationship with. After all, penetration tests should be conducted at least annually, meaning you want to find a testing team you can build a solid relationship with, and who you trust.
As well as looking for a long-term partner, you also want to look for depth and breadth of expertise. As mentioned previously, there are numerous types of penetration tests. So, you want a partner who can cover all your requirements – and more – and be able to help you determine the right tests to meet your objectives and budget. You should look for a team who can add value to your cyber security strategy, who has the knowledge to help you understand the complexities of penetration testing and can bolster your cyber security posture.
Step 3: Validate their credentials and reputation
You should only consider working with a company if they have trusted external accreditations. CREST is a well-known, high-standard accreditation in the penetration testing arena.
Using a CREST-accredited company, like Evalian, to carry out penetration testing means that the quality of the services, and the technical capability and skills of the consultants you have access to, is of an internationally recognised high standard. It also ensures you are being provided with professional services that are highly skilled, knowledgeable and competent.
It may also be worth carrying out research on your potential partners to look for evidence of their reputation and experience. For example, you could look for: client testimonials and reviews; reports, research and thought leadership about penetration testing; further security accreditations and qualifications.
Step 4: Engage and clarify
Once you have one – or a few – suppliers you think could work for you, it’s time to engage. Before formalising the relationship, it’s worth asking the following questions, to establish that the supplier is the right fit:
- What’s your methodology for penetration tests? Ask this question to gain an understanding of the provider’s knowledge and expertise. They should be able to explain the different kinds of tests to you, as well as offer tailored advice that links to your specific objectives and issues.
- Can I see a sample report? It’s helpful to review penetration testing reports beforehand, to ensure that the tests are fit for purpose. You should look for reports that are concise, easy to understand and give actionable advice for the vulnerabilities discovered.
- What happens after a test? A good testing organisation should provide you with remediation guidance in their report and be available for a wash-up call with you to discuss their results, recommendations and remediation.
- Do you provide a free retest? It is common for testing organisations to offer to retest vulnerabilities after they have been remediated to provide assurance that the issue has been fully corrected. Different testing organisations have different policies for free retests, so remember to ask for details.
Once you’re happy with these answers, it’s time to finalise your choice, and then agree and define the scope of work and objectives.
For more information on when you need to conduct a penetration test, you can read our blog here.
If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions or remediations from our findings. Contact us for a friendly chat.