The Penetration Test Bait and Switch: Are you actually getting a pentest?
People often confuse penetration testing and vulnerability scanning. Both are important at their respective levels, are essential in analyzing cyber-security risk, and are required by standards such as PCI, ISO 27001, and others. Vulnerability scanning checks for known vulnerabilities while penetration testing requires a human element to exploit identified vulnerabilities in your network to report on risk exposure.
There are security companies around the globe that care about the client and take the time to make the engagement worth the client’s money. However, amateur penetration testers, IT providers, and easy-to-use software have allowed penetration testing to become a commoditized product. Information Technology (IT) vendors and Managed Service Providers (MSP) are able to run tools designed to generate reports that allow them to sell more services. They often will provide a report with hundreds of pages of vulnerabilities identified on various systems and leave your IT team to sort through the mess and prioritize the remediation effort. Be wary of companies with other core competencies that offer cyber-security testing service as an add-on service.
Here are some questions help you to determine if you are getting a true penetration test:
- Does the company recommend buying products from them?
Any company doing the penetration test or auditing should be independent and objective of companies that sell you products and services. They can recommend enhancements to business or IT controls but they should not directly profit from their own findings. They may be selling you something that does not address the most significant risks because they are trying to push products and services they do have. We have seen companies recommended replacement of the existing firewall with a different brand that didn’t even provide the same protection as the original, resulting in a security incident.
- Is your interaction limited to scope and cost?
The testing team must take the time to learn about the organization they are testing. If they only care about which IP addresses and systems they need to audit, that is a red flag that you are getting a routine vulnerability scan or a superficial penetration test. Understanding the business operations and infrastructure is essential to getting good results.
- Is it all about the scan?
There is no such thing as a completely automated network penetration test. That is a scan for technical vulnerabilities on individual systems. Don’t pay penetration test prices for a vulnerability scan. A real penetration test requires a competent testing team with a specific set of skills to manually exploit vulnerabilities in some layers of the network defense to identify the risks posed by architectural weaknesses and data exposure.
- Do you have to install specialized software on your computers?
Sometimes a testing team will ask to install software on your systems to gain additional insight or to leverage a different attack vector. You should never allow a penetration testing team to install remote agents on your systems. This not only introduces unknown variables that will affect the results but also increases the risk of compromise. A network penetration test is meant to validate your security controls and configurations as they are.
- Do you have to whitelist everything?
Some testing companies will ask for modifications to your network . This violates the spirit of the exercise. A well-equipped team will be prepared to deal with network segmentation. They will test network boundaries and then test the network via direct access. There are limited scenarios where whitelisting is beneficial but we only recommend it to validate existing controls are working. For example, we might test an IPS/IDS with both a whitelisted and non-whitelisted address to determine how the control treats certain traffic.
- Do you just get a large report with lots of colors and no real meaning behind it?
There should be an executive summary report that highlights the key overarching risks with references to detailed technical output. Graphs may look pretty but are they meaningful or are they just there to create Fear, Uncertainty, and Doubt? A tactical list of findings and recommendations to address risks and vulnerabilities should also be included. Finally, the detailed technical report and testing data should be included. Some companies classify testing data as intellectual property. The penetration test team should be transparent about the testing methodology and provide all evidence from multiple sources to support their findings.
Interview and obtain quotes from multiple security teams, make sure you are getting a real penetration test. Layer0 Security will happily demonstrate our methodology and compare our approach to other penetration testing organizations. Be sure you are secure.
Need more than just a network penetration test? We also offer physical security auditing and consulting, assurance services, training, and more.
#Layer0Security #besureyouaresecure #pentest