Why You Should Hire a Penetration Tester and Which One
- Written by: Jordan Engbers
In essence, penetration testers are hackers with a conscience. They are hired by organizations to hack into systems and reveal exploitable vulnerabilities that threaten business operations. Pen testers battle at a computer (sometimes with intel gained from social engineering attacks) and carve through lines of code, web applications, and other business critical systems for hours on end, pivoting from one system to the next until they have either breached the proverbial security wall or confirmed that the organization’s system(s) are securely configured.
So, why would a company hire someone to breach their systems? It sounds counterproductive at first, but the more an organization learns about the attack and the methods used, the more insight it gains into its systems’ weaknesses. If the organization doesn’t discover their weaknesses first, someone else will. And, when that someone else is a competitor, terrorist state, or ne’er-do-well looking to disrupt corporate America, it seldom ends well for the organization.
Finding the right fit
When hiring an ethical hacker, it is best to confirm a few things. For starters, you want to make sure that your hacker is both capable and, of course, ethical. One way to verify this is through certifications. These certifications help to ensure that you are getting the best value for your purchase. Penetration testing can be priceless when you hire the right hackers.
Certified Ethical Hacker (C|EH)
https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of ethical hacking from a vendor-neutral perspective.
GIAC Penetration Tester (GPEN)
https://www.giac.org/certification/penetration-tester-gpen
The GPEN certification is for security personnel whose job duties involve assessing target networks and systems to find security vulnerabilities. Certification objectives include penetration-testing methodologies, the legal issues surrounding penetration testing, and properly conducting a penetration test, as well as best practice technical and non-technical techniques specific to conducting a penetration test.
GIAC Web Application Penetration Tester (GWAPT)
https://www.giac.org/certification/web-application-penetration-tester-gwapt
Web applications are one of the most significant points of vulnerability in organizations today. Most organizations have them (both web applications and the vulnerabilities associated with them). Web application holes have resulted in the theft of millions of credit cards, major financial loss, and damaged reputations for hundreds of enterprises. The number of computers compromised by visiting web sites altered by attackers is too high to count. This certification measures and individuals understanding of web application exploits and penetration testing methodology. Check your web applications for holes before the bad guys do.
Penetration testing methodology
Certifications should be accompanied by proper penetration testing methodologies. Verify with your pen testers that they are following a reputable penetration testing methodology framework. At HBS, we use a methodology framework that is derived from the Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM), and other industry best practices.
Liability insurance
It is also important to understand that penetration testing is an invasive test. In most cases, the penetration tester will not accept responsibility for consequential damages or restoration of services as a result of the testing activity. However, you will want to make sure the hacker is protected with liability insurance. There are some situations where the penetration testing company could be held liable for certain actions if performed negligently. And, if that were to occur, you want to be sure they have the means to right their wrongs.
Finding the right penetration tester doesn't have to be difficult. We can help.
