Pratum Blog

Why should I hire a penetration tester and who?

In essence, penetration testers are hackers with a conscience. They are hired by organizations to hack into systems and reveal exploitable vulnerabilities that threaten business operations. Pen testers battle at a computer (sometimes with intel gained from social engineering attacks) and carve through lines of code, web applications, and other business critical systems for hours on end, pivoting from one system to the next until they have either breached the proverbial security wall or confirmed that the organization’s system(s) are securely configured.

So, why would a company hire someone to breach their systems? It sounds counterproductive at first, but the more an organization learns about the attack and the methods used, the more insight it gains into its systems’ weaknesses. If the organization doesn’t discover their weaknesses first, someone else will. And, when that someone else is a competitor, terrorist state, or ne’er-do-well looking to disrupt corporate America, it seldom ends well for the organization.

Finding the right fit

When hiring an ethical hacker, it is best to confirm a few things. For starters, you want to make sure that your hacker is both capable and, of course, ethical. One way to verify this is through certifications. These certifications help to ensure that you are getting the best value for your purchase. Penetration testing can be priceless when you hire the right hackers.

Certified Ethical Hacker (C|EH)
https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/

A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of ethical hacking from a vendor-neutral perspective.

GIAC Penetration Tester (GPEN)
https://www.giac.org/certification/penetration-tester-gpen

The GPEN certification is for security personnel whose job duties involve assessing target networks and systems to find security vulnerabilities. Certification objectives include penetration-testing methodologies, the legal issues surrounding penetration testing, and properly conducting a penetration test, as well as best practice technical and non-technical techniques specific to conducting a penetration test.

GIAC Web Application Penetration Tester (GWAPT)
https://www.giac.org/certification/web-application-penetration-tester-gwapt

Web applications are one of the most significant points of vulnerability in organizations today. Most organizations have them (both web applications and the vulnerabilities associated with them). Web application holes have resulted in the theft of millions of credit cards, major financial loss, and damaged reputations for hundreds of enterprises. The number of computers compromised by visiting web sites altered by attackers is too high to count. This certification measures and individuals understanding of web application exploits and penetration testing methodology. Check your web applications for holes before the bad guys do.

Penetration testing methodology

Certifications should be accompanied by proper penetration testing methodologies. Verify with your pen testers that they are following a reputable penetration testing methodology framework. At Pratum, we use a methodology framework that is derived from the Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM), and other industry best practices.

Liability insurance

It is also important to understand that penetration testing is an invasive test. In most cases, the penetration tester will not accept responsibility for consequential damages or restoration of services as a result of the testing activity. However, you will want to make sure the hacker is protected with liability insurance. There are some situations where the penetration testing company could be held liable for certain actions if performed negligently. And, if that were to occur, you want to be sure they have the means to right their wrongs.

Finding the right penetration tester doesn't have to be difficult. We can help.

Penetration Testing Services

If your organization uses the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, you are probably already aware that efforts are underway to develop Revision 5. NIST, as always, has solicited and received a substantial number of comments regarding the current document, as well as recommendations for adjusting the document to better suit non-federal entities, including businesses, academia, and state, local and tribal governments. As more and more non-federal entities adopt and use NIST standards, NIST is taking steps to make the controls catalogue more adaptable and usable for a broad array of organizations.

The following information summarizes the expected changes:

  • To be more inclusive, the term “federal” will be removed to the extent possible.
  • The term “information system” will be replaced with just “system” to be more inclusive of various types of systems, such as industrial control systems and Internet of Things.
  • To improve the documents structure, and to make it easier to find and compare controls, both the program management and privacy controls sections will be integrated into the main controls section. This change enhances the relationship between privacy and security controls, and reinforces the importance of overall program management of information security activities within organizations.
  • Priority sequencing codes (i.e., P0, P1, P2, P3) will be removed. Feedback indicated that the intent for these codes was being misinterpreted; however, removing them provides organizations with better flexibility in sequencing the implementation of controls.
  • Keywords and hyperlinks will be integrated to assist users in navigating the document and finding information.
  • Introductory terms within the controls (i.e., “The organization…” and “The information System…”) will be removed to make the controls “outcome-based,” to better align the controls with other NIST guidance, and to remove ambiguity regarding responsibility for implementing the controls.

NIST is planning on releasing the first draft of Revision 5 for public comment at the end of March 2017. If you are interested in additional information from NIST about the expected changes, please visit: http://csrc.nist.gov/publications/drafts/800-53r5/draft_sp800-53-rev5_update-message.pdf

For a copy of the current SP 800-53 Revision 4, as well as other NIST SP 800 series documents, please visit: http://csrc.nist.gov/publications/PubsSPs.html

Penetration testing is complemented by vulnerability scanning.

Penetration testing and vulnerability scanning are different services. However, there are also some similarities, leading to the confusion. In this article, we will compare and contrast these services.

Vulnerability scanning is an automated process that utilizes tools to seek known security vulnerabilities in your systems. The scan delivers a lengthy report of potential exposures that may threaten your systems. Penetration testing is a manual process that leverages information found in a scan, or divulged in a social engineering attack, to exploit those vulnerabilities and gain access to sensitive data. A well prepared pen testing report will be concise and contain only pertinent information.

These services are both very important, but they are not the same and should be priced accordingly.

Vulnerability Scanning

Regularly scheduled vulnerability scans help provide a baseline of normal activity for a given information security program. Scans are used to assess your company’s network security health and provide insight into risks that may directly impact your organization. Vulnerability scans are particularly useful for helping to check for proper configuration of new additions or recently updated systems.

As an automated services, vulnerability scanning relies more on the technology used than the individual deploying the scan. However, the scoping phase of the vulnerability scanning process is very important. You will want to work with a knowledgeable consultant to define the appropriate devices that will be targeted and scanned. You will also need to choose between authenticated (scanning as a user on the system) or unauthenticated (scanning as an outsider, without user account information) scans. Each has its advantages, and the one that best fits your organization will be defined in this phase.

Penetration Testing

Penetration testing is much more of an art form than vulnerability scanning. Though pen tests involve scans on targeted systems, ethical hackers take it much further by performing manual testing that provides actionable intelligence regarding exploitable security risks. Penetration testing tools can be helpful, but the truth rests in the mind of the tester, who uses knowledge of targeted systems and technical skills to find ways to exploit discovered vulnerabilities. Like any field of study, the quality of an ethical hacker can range from one end of the spectrum to the other. Fortunately, there are a couple simple ways to find the right tester for your organization.

Objective Testing

Independence is key. You should work with a company or individual that is not negatively impacted by the results of the test. Ensuring that your pen tester is objective is one of the baseline criteria for selecting an ethical hacker.

Pen Testing Certifications

You want a capable tester, right? An easy way to gain immediate insight into the ethical hacker’s capabilities is by reviewing his/her certifications. We have reviewed a number of certifications and find these to be among the best: Certified Ethical Hacker (C|EH), Offensive Security Certified Professional (OSCP), GIAC Penetration Tester (GPEN), and GIAC Web Application Penetration Tester (GWAPT). You are encouraged to perform your own research, but this is a good start.

Report Examples

It all boils down to the report. In the end, you need useful information that can help you improve your security posture. A solid report will provide information about data that was compromised and how. This information will enable your organization to fix issues before a criminal has a chance to exploit your vulnerabilities. Ask the penetration testing organization to provide you with a report sample, so you can rate the quality.

Together but Different

Vulnerability scanning and penetration testing are not one in the same, but they do complement each other very well. We encourage every organization to perform periodic vulnerability scanning and at least one yearly penetration test. These two services will provide valuable security insight and help to strengthen your security programs.

If you are considering hiring a vendor or consultant to perform security testing, drill them on the difference between vulnerability scanning and penetration testing. You might be surprised to find they don't have a clear understanding of the difference, which would be a good reason to move on to the next vendor. Also, don't be surprised when you find vastly different pricing for "testing" services. Not that the most expensive is necessarily better, but pricing may be an indication of quality. Either way, you now have the knowledge to negotiate!

If you are interested in penetration testing services or requesting a quote, click this button.

Penetration Testing Services
Get our blog posts delivered to your inbox: