A penetration test is a method of evaluating the robustness of your IT security level by simulating an actual attack on your own systems. Penetration testing can be a very valuable tool to help identify the path of least resistance into your company’s critical systems and is often an eye opening experience for management. If your company has not yet embraced the need for effective information security controls and penetration test might be just what the doctor ordered to raise awareness and build support.
Is your business ready for a penetration test?
The answer to this question depends a lot on the maturity of your information security program. If your business is still developing your information security program a skilled penetration tester may quickly gain access to all of your systems without much effort and you might only learn that you are highly vulnerable to attack and little else. My recommendation is to ensure you have conducted internal vulnerability assessments prior to conducting a penetration test unless you are using the exercise as a means to communicate your company’s exposure to attack. Unfortunately, sometimes information security is not taken seriously until there is a smoking gun and a targeted pen test can provide that.
Important items to keep in mind before signing up for a penetration test
- Choose the company/individual that will perform the penetration test wisely. A lot of sensitive company data will be exposed so it is important to only deal with reputable people.
- Make a confidentiality agreement part of the contract.
- Scope the penetration test as desired to achieve your intended results. Possible penetration test scope includes: Full review, External Review Only, Internal Review Only.
- The cost of a penetration test can be quite high so make sure your organization is ready to benefit from the results otherwise a full security audit may be a better choice.
- Define objectives for the penetration testers to aim for. These objectives should be targeted at the highest risk business processes especially if you are performing the pen test to build support for expanding your information security program
- Make sure senior management has signed off on the penetration test. Things can go wrong during a penetration test even under controlled conditions so it is an important CYA step to ensure your career does not go down the tubes.
Other Frequently Asked Questions about penetration tests
Should the penetration test be announced to your technical staff?
Usually it is a good idea to announce the impending penetration test to your technical staff so they will know it is occurring, be on hand to support if there are problems, and not escalate detected items to a higher level. A counter case of not notifying the technical staff can be made if you desire to assess the effectiveness of monitoring controls and wish to avoid having the staff on red alert.
How much information should be provided to the penetration testing team?
Penetration tests differ on how much information is provided to the testing teams. Some penetration tests are basically a blank slate where the technical team must discover everything without any inside information (black box testing) vs. other tests where significant network and system information may be provided (white box testing). Hybrid approaches are also possible where some generalized information is provided but the pen test team must figure out the rest. For external assessments I recommend providing in scope external IP addresses and phone numbers (if analog lines are being assessed) to avoid the problems that could come if the wrong targets are identified.
Can the penetration test have an adverse effect on my systems?
The answer is most definitely yes if the pen testing team does not take steps to minimize the risks to your operations. There is an inherent risk that comes with performing an activity like this but choosing experience testers and setting solid engagement rules can help minimize your exposure.
Are there any established frameworks for conducting a penetration test?
The Open Source Security Testing Methodology Manual (OSSTMM) is the best current framework to help guide a penetration test (including helping a client define the scope of engagement)
Should I have a member of my team witness the penetration test as a member of the technical team?
If you can negotiate this into the contract terms and plan to build your own internal capability to some extent this would be a great way to acquire on the job training at the same time the pen test is delivered.
Now that you have more information about penetration testing you can determine if your business is a good candidate to consider one vs. a standard information security audit.