Getting Ready for a Pen Test: Step 3
July 25, 2014
In the first blog post of our three-part penetration (pen) test series, we discussed the five common ways an attacker can gain access to your corporate network that you should address immediately before bringing in a penetration tester. In the second blog post, we discussed taking inventory of systems, assets and critical data on your network and keeping high risk data and servers segmented from the general user base. In this final piece of our series, we will discuss how you can make sure that the vendor you choose to conduct a pen test delivers what you need.
There are many types of testing that security companies can perform for you. Each one has different service offerings created to cover every aspect of security your organization could face. In this post, we will focus on pen testing. The problem we often encounter is that everyone has a different thought or opinion of what this type of test should and should not include.
Choosing a Security Vendor for Pen Testing
Selecting the right partner to tackle your pen testing needs sounds easy but can be a difficult decision because there are so many options. How do you know they will meet your expectations? Unfortunately, there are no solid steps on how to do this, but these tips may provide some guidance:
- Be wary of the lowest price option. We understand companies have a budget, but if you choose your vendor based solely on them providing the lowest quote, you may not be happy with the results. Make sure to strongly consider the vendor team’s capabilities and experience when making your decision. You don’t want to waste the budget you have on a poorly executed test.
- Ask for recommendations. You have multiple resources at your disposal to help you select the right pen test partner. Your internal security analysts likely attend security conferences and can tell you which companies have experts actively presenting on penetration testing topics. Also, since most organizations must switch vendors every one to three years based on internal audit requirements, ask your previous or current vendors who they suggest. If they are true partners, they should be more than happy to provide the names of other companies they trust.
- Interview the testing team. Be sure to ask the vendor to schedule time for you to speak with the testing team to ask them technical questions related directly to your environment to ensure they have the proper experience. Often, the vendor’s sales team fields the technical questions, but most of those individuals do not fully understand how to accurately answer those questions.
Ensuring a Solid Pen Test
Whether or not your organization has ever conducted any type of security testing, it’s paramount to know what should be included in a pen test so you know what questions to ask of your prospective vendor. We believe it is the responsibility of the vendor’s scoping team to:
- Define all tests as they perform them.
- Help take stock of the maturity of the organization’s security program.
- Help assist with determining the correct course of action.
There are several different levels of testing for an organization. We plan to discuss the levels and their differences on this blog in the future. For now, we want to focus on expectations for penetration testing. The goal is to understand what a penetration test is and what it means to your organization. Additionally, this will help you know if your vendor is going to give you the level of testing you expect. Understanding this before engaging any vendor it will make your life much easier. It’s horrible to have a test performed and not have it live up to your level of expectation after it’s completed. All vendors should be grilled around their approach to the phases outlined below.
Defining the Pen Test
A pen test is a method of evaluating computer and network security by performing a controlled attack on a computer system or network from external and internal threats. A pen test is not designed to find all the vulnerabilities in your network, which is the job of a vulnerability assessment. The main focus is to highlight the paths of least resistance in your organization that a threat agent might also use.
One exceptional methodology for conducting a thorough test is the Penetration Testing Executive Standard (PTES). The PTES was developed by a number of security professionals in all areas of the industry that realized a major gap in both delivery of services and understanding what service you as an organization received.
Following the standard, here are several things to consider:
- Pre-engagement Interactions – This is often overlooked, but it’s important to understand the logistics of all testing being performed. If the testers aren’t interested in your goals or providing you with a few possible ways to get there, then they are missing key elements of the testing before it’s even begun.
- Intelligence Gathering – Are you providing the information, or is the vendor going to research and provide you with what they have found? Sometimes it makes sense to ask them to find as much detail as they can on their own. If what they have provided doesn’t include everything you want tested, provide the remainder of the information at that point.
- Threat Modeling – Security testers should be able to take the information they have found during intelligence gathering and inform you what type of attacks to which your organization is susceptible. This does not need to be a formal presentation but a synopsis of “weak points” they believe make sense to test. They may see something you do not.
- Vulnerability Analysis – Reviewing what vulnerabilities exist, but more importantly, which can lead to a high level of severity to your organization. Testers should be able to help you categorize your remediation efforts.
- Exploitation – Don’t shy away from this, it is how you truly know how far an attacker may get within your organization. Additionally, a security tester should be able to explain the exploitation technique and what the expected outcome will be.
- Post Exploitation – Most security vendors fail at this point in the testing. Elevating privileges is not the end goal. You should understand all the different ways an attacker may gain access to the information that will hurt your organization.
- Reporting – This is by far the most important part of the test. You are not paying specifically for the testing but for a detailed explanation of what was found and well thought out recommendations that come from years of experience. Ask the vendor about their reporting structure and how it’s put together. Output directly from a vulnerability scanner should be a huge red flag.
Each of these phases is an important part of the pen testing workflow. If your current vendor is not doing these things, then challenge them as to why and demand that your testing follow this baseline. Any security company queried about each step should be able to give detailed answers. You are spending your budget, and you don’t want to waste it!