All You Need to Know About Penetration tests
Your client has asked you to conduct a penetration test. You’re not even sure what this is. You certainly don’t know what it entails, or who should perform it.
What should you do?
Understand Why a Client Wants You to Have a Penetration Test
One of the main reasons for a client to want a penetration test is to have information security assurance. A company may be looking for these tests to provide them with some insurance against security breaches – to ensure that any data you hold is secure, and that any breach of your systems would not impact on them and, consequently, their clients and their business.
A study by IBM and the Ponemon Institute found that data breaches cost around $3.92 million on average. With third-party data breaches, the costs can be even higher – your client may suffer extended downtime because your system has been hacked, and may need to instigate their own security measures. If the breach overwhelms your business, and you go out of business, this will impact your client, too.
In short, it is becoming common for clients to ask their vendors to conduct a penetration test, because they need the assurance that who they deal with will help protect their integrity and their business. A penetration test will:
- Evaluate the integrity of your network systems or products, protection measures, and perimeter defenses
- Assess the ability of your defensive measures to protect against cyberattacks and security breaches
- Increase confidence in the safety of your systems and protection protocols
Understand What Penetration Testing Does
Penetration testing is a type of cybersecurity that involves security professionals to identify potential vulnerabilities in an organization’s computer networks, systems or products.
Penetration tests (or pentests) are conducted by security testers, also known as pentesters or ethical hackers. They look for potential ways in which a malicious actors can get access to the system and then try to break through the system’s layers of protection.
Don’t confuse a pentest with a vulnerability assessment (VA). A VA is an automated test that assesses for high-level vulnerabilities. A pentest is conducted by an individual who deliberately tries to breach your system, discovering why any vulnerabilities exist and helping you understand how to fix them.
So, if your client has asked for a penetration test, what should you do?
Decide What Type of Penetration Test You Need
You don’t want to lose your client’s business. So, you must have a pentest. But what type do you need:
- An application pentest will evaluate applications that are visible to users, such as a payment page on a website. You’ll learn if it is possible for a hacker to escalate privileges, create admin user profiles, and even to extract your customer information.
- A network pentest will test how easily a hacker can penetrate your system from another connected system, thus pivoting into areas that hold sensitive information.
Understand the Profile of an Effective Pentester
You’ll need to hire an external pentester, but who should you hire?
You need someone who gets their hands dirty in the pentest – because this is very much a manual process. The pentester should be a real person, who is going to try to crack into your system. They will think creatively, search for clues as to how to sneak in through a back door or side door, or even walk right through the front door of your IT infrastructure or product.
A pentester is curious. They like solving puzzles and problems. And they are innovative, too. If something doesn’t work to hack into your system, they will tweak what they are doing until they either break in or discover that you’re safer than Fort Knox. If there is a weakness to be exploited, they’ll do their best to find it within the agreed timeframe.
Understand That You Get What You Pay For
Pentesting is an exceptionally challenging role. There are good pentesters, and there are not-so-good pentesters. What you are paying for is their experience so be careful of companies that pass your test onto less experienced staff. Remember a good penetration tester not only knows how to manually find your issues but communicates the issues and remediation requirements because if you don’t know understand the problem how can you fix it…….. you really do get what you pay for.
But, of course, it’s not only cost that you need to assess when testing pentesters. Ask about how they conduct pentests, what credentials they possess, and examine their client testimonials or their example reports. Ask if they have collaborated with companies like yours.
Prepare for Your Pentest
Okay, you’ve hired a pentester. What now?
It’s important to prepare for your pentest. You’ll need to know exactly what you wish to achieve, and what regulatory and compliance requirements you must follow. A good pentester will talk through these sorts of issues with you, and help to ensure you’re ready for what comes next.
You’ll need to schedule your test, coordinate with the pentester, and let your employees know that a pentest will be conducted.
Know What to Expect During the Pentest
Even though pentesting is a manual process, you can expect a lot of automated scans, as the pentester begins to search for ways into your system. So, work with your pentester to perform these when they will least affect your business.
You should ensure that your IT department is readily available to the pentester. Because of how the test works, any issues that arise will need to be resolved quickly. It’s important to let your pentester know if what they are doing is impacting your business in any way.
Act on the Pentest Report
When the pentesting is complete, you’ll receive a report that details the findings of the pentest. Solutions to discovered issues will be included in the report, and it will also describe what was tested, how it was tested, and the limitations of testing.
From this report, you should develop an improvement (remediation) plan, which may include reconfiguring your software, installing patches, and updating code. You will need to close access points that you didn’t know were there.
Once you have completed all remediation work, you should be retested, to ensure the actions you have taken are successful.
How Do You Choose a Pentester?
The process for selecting pentesters can be long and difficult. You must make sure that you take your time to find the right pentesters for the job. To help you through this process, here are three crucial guidelines to follow:
- Pentesters come in all shapes and sizes — so when selecting a pentester, it is important to know exactly what type of qualifications they have or what type of work they have done in the past to find the best qualified person for your needs.
- The pentester should have an extensive understanding of penetration testing. This includes being intimately familiar with offensive security concepts, network vulnerabilities, system vulnerabilities, exploit mitigation defense techniques and application security standards.
- The pentester should help you prepare, talk you through the pentest, and work to your schedule.