Penetration Testing – Building the Business Case
Selecting a penetration testing provider can be a daunting task. The industry is somewhat unregulated and other than the likes of CHECK / CREST / Tiger Scheme there are relatively few means to check your penetration testing provider is actually capable of testing your systems, infrastructure, buildings and people to sufficient depth.
On one hand you’ve specialist firms like 2-sec that take the time to understand your business, assess risks and scope testing accordingly, but on the other hand you’ve software-as-a-service type solutions where you click a button, pay with your credit card and have an automated system try and find it’s way around your website and/or infrastructure and give you the results you need.
So which one is right, and how do you get best value out of penetration testing?
When working with our clients, we usually start with a simple set of questions:
- Why do you think a criminal might target your organisation?
- Have you ever been subject of hostile reconnaissance?
- How valuable are your company secrets?
- What would happen if your customers’ data were compromised?
- Does your company insurance provider pass responsibility for “best practice information security” to you?
- When was the last time you tested your applications, infrastructure, systems and physical locations?
Answers to these questions will often blow an automated approach straight out of the window, after all, hackers are very unlikely to be using the same automated approach and tools to target your organisation, and have a huge arsenal of weaponry available to help enumerate and attack your company. This might include:
- OSINT (Open Source Intelligence Gathering)
- Using a skilled developer to write attack scripts that bypass your security systems
- Just walking in through the front door one day..
- Targeting employees and enumerating your systems through information on LinkedIN or Facebook (it happens!)
- Social engineering – phoning up your system administrators and resetting your CEO’s email password
- Using one of the many thousands of open-source hacking tools and distributions (how can a single automated tool protect against that?)
By no means an exhaustive list, this hopefully demonstrates that an automated “vulnerability scanning” approach is unlikely to measure up to the manually driven, targeted attacks that criminals are using to compromise people, systems and buildings.
How much should I spend on penetration testing?
As with any service based offering, you get what you pay for, and this usually breaks down to resource/effort that a penetration tester makes to compromise your company. Or in the case of an automated scanner, the license cost. I’d usually reflect this question back, and ask clients how much effort a criminal would take to attempt a compromise. If you’re a big military sector target, then penetration testing is a full time 24/7 job for a team of several experts – systems are under constant test and review. If you’re a small medium enterprise, then a crack squad of ethical hackers is probably not the best approach, but you must make reasonable effort to ensure systems are secure, and tested. This after all is your undertaking to your bank if you handle credit card information, or to your insurance company whom no doubt stipulate you must apply best practice security to the best of your efforts.
Unfortunately, the industry “norm” seems to be 4 days of infrastructure/web application testing, plus 1 day report writing. Social engineering, personnel and physical security will get overlooked 99% of the time, as do third party suppliers, wireless networks, home networks, employee-owned devices – the lot!
As web applications and perimeter security improve, the “4+1” approach only serves to line penetration testing firms’ pockets, whom constantly find new ways to automate tests and use less skilled resource to deliver.
What should I do before engaging a penetration testing company?
There’s no dark art behind this – an experienced penetration tester will work to a specific methodology, scope up the target and use whatever process, tool or physical means to attempt compromise. It might be handy if they’ve done this sort of thing before, and we would encourage you to:
- Get references
- Get tester resumes
- Speak to your penetration tester before starting – ensure they understand your goals
- Understand what tools will be used, and what percentage of testing will be automated as opposed to manual
- Get sample reports – if they’re not clear and concise and more than 40-50 pages, chances are they’ve been created by an automated tool
- Take a holistic approach and allocate budget appropriately to application, system, infrastructure, personnel, social engineering and physical security. Don’t just spend it all on one thing.
Ensure you fully understand the scope of systems within your organisation, outside your organisation (cloud providers) and those provided or managed by third parties. One of the biggest risks with penetration testing is false negatives, where a test is conducted, gives you the all clear, yet the scope missed out critical systems in the first instance.