In last week’s article, we covered the basics of what a penetration test is and why they should make them part of your regular security regiment. This week we will to cover things to look out for when choosing your penetration test vendor.
Not all penetration test vendors are created equal; many service providers are more interested in selling a false sense of security than genuine protection. A high quality penetration test must be conducted by a professional who is able to perform their own research, write their own code, understand how exploits work and ideally, be able to write their own exploits if the need arise.
Most penetration test teams lack first-hand experience with computer and network exploits and are reliant on third party scanners and automated tools. While these tools can be a useful early detector of problems, they do not offer a comprehensive look at your system network or overall security. These limited tests are sometimes referred to as “rubber stamp” penetration test. Rubber stamp tests exist only to give the client a piece of paper with a “stamp” of success plastered across the top and an empty promise of security. When you choose your penetration test vendor make sure to inquire about their methods and request proof of their research methods.
All real penetration tests begin with social and technical reconnaissance. Social reconnaissance is research focused on extracting information from your public facing websites. This may include your business website, your company or employee Facebook pages and LinkedIn accounts or even a recent job listing. The goal of social reconnaissance is to collect information that may assist in compromising your system security.
Technical reconnaissance goes a step further and digs into your individual network host information, your web directory settings and checks for weaknesses in your network hardware. Technical reconnaissance may use any number or port or network scanners to speed up the process and look for commonly neglected security settings.
This is the point where so called “rubber stamp” penetration testers would stop, but is where the real work begins. Once all initial research has been collected, the information must be analyzed and put to the literal test. While fully automated tools might be able to find the obvious security holes, an experienced human is much better at detecting human error than a machine. Through a careful analysis of social and technical reconnaissance, an experienced tester is frequently able to discover neglected source code, confidential files, passwords, troubleshooting questions about IT issues. All of this information can be used to break through security walls and access your internal systems.
As a general rule, when you choose a penetration vendor, look for one that demonstrates a firm understanding of practical exploits and not simply technical tools. Ask about their research methods and how long their testing methods take; a thorough test should not be instant! A genuine penetration tester will appreciate that you made the effort to learn about your security, whereas an imitator will likely become defensive and is not worth your time.