Penetration Testing: Part 5
In this, the last blog entry in the current series on pen testing, I’d like you to consider with me how and what an organization that needs to have a pen test performed should choose a service provider. This decision is extremely important because not everyone who claims to be a proficient pen tester genuinely fits that bill. It is so easy to hire an individual or consultancy that is incompetent and/or incomplete in its testing. Additionally, not every service provider stays within the rules of engagement. Some get carried away, and in the process cause disruption and/event damage.
The most important single consideration is the reputation and trustworthiness of the service provider. When an organization commissions a pen test of its networks, hosts and applications, it is in many ways opening its IT environment to whoever is chosen to perform the test. This is why I strongly advise not hiring any so-called “hacker” or a (hopefully) “recently reformed” member of the black hat community. Someone who has shown bad judgment by making a living based on violating laws and crossing far past professional ethical standards is not going to suddenly become a person of good judgment, even if that person sincerely means to change. I am aware of dozens of cases in which an organization hired a “hacker” to perform pen testing, only to greatly rue its decision. In one case, an organization that hired a “hacker” cut the pen test short. The “hacker” retaliated by launching a massive denial of service attack against the organization’s network, causing a prolonged and costly outage. In another case, an apparently much better intentioned “hacker” made a series of honest but naïve mistakes that repeatedly crashed routers and switches within the customer’s network.
Another consideration is proven excellence in pen testing. This is why organizations that have obtained outstanding pen testing services from a provider would do well to stay with that provider. If the quality of a potential pen testing service provider is unknown, the provider should be able and willing to provide references that the potential customer can contact to determine how well the service provider has performed for them in the past. The major limitation of using references is that service providers tend to provide only the names of highly satisfied customers. Still, when the quality of pen testing services is in question, having references to contact is far better than nothing. But the best method of determining how good a candidate service provider’s services are is to set up a virtual, non-production IT environment with a few exploitable vulnerabilities, define the rules of engagement, and then turn the potential service provider loose for an agreed period of time. The candidate pen tester’s skill level will rapidly become obvious. An increasing number of organizations is using this strategy, often to competitively pit service providers against each other to determine which one is the best. Having candidate service providers prepare and submit write-ups is the proverbial topping on the cake–there are so, so many technical geniuses who can perform amazing pen testing, but are seriously deficient when it comes to ability to write. The chosen service provider should not only perform outstanding pen tests, but should also be able to write a clear and technically-detailed report that contains not only a description of the methodology used and the results, but also prioritized recommendations for vulnerability remediation.
Oh, and by the way, I must close by saying that I know that I am biased (please forgive me), but I am extremely proud in that I work for a company that prides itself in its excellence in performing pen testing.