Identifying a Quality Pentest
In this episode of the Sedara Cybersecurity Whiteboard Series, our Lead Pentester Nick Aures talks about what to look for in a quality pentest. Nick breaks the talk down into 4 key takeaways: Take a look, and we hope it’s helpful.
What Should I Look for in a Quality Penetration Test?
Penetration testing is a fundamental part of validating the security measures you’ve taken and showing they are effective. What are some factors that go into a quality penetration test?
A Penetration Test (and Not a Vulnerability Scan)
Vulnerability tests can help administrators identify security problems and are often required for compliance. But they have a different purpose from penetration tests. Vulnerability scans show individual vulnerabilities, which may or may not be able to be exploited.
In a penetration test, the attacker views the entire network to find misconfigurations, outdated software or other vulnerabilities to exploit. A good penetration tester combines their knowledge of the organization with their ability to combine exploitation techniques. That approach is how attackers work in the “real world”, and maximizes the level of access the tester can reach.
That work results in a proof of concept, a demonstration of a possible exploit. A penetration scan provides an in-depth, customized view of an organization’s information security risk.
A Qualified Vendor
How can an organization ensure the vendor they’re considering can provide a quality test?
Fortunately, there are several industry-recognized certifications in the information security industry for penetration testing. These include Offensive Security’s OSCP, CompTIA’s CEH (Certified Ethical Hacker), SANS GPEN (GIAC Penetration Tester), and CompTIA’s Pentest+. A well-qualified vendor can show members of their staff have certifications in the field.
Additionally, a quality vendor will work closely with the client to ensure the scope is appropriate. This involves doing research on the client’s online presence and making recommendations during the pre-engagement stage.
Engagement Expectations
A penetration tester’s goal is to find valuable data and help determine the value and risk to the organization.
There are several ways penetration tester (and attackers) can gain access to data:
- Black box – In a “black box” penetration test, the tester uses publicly-available resources to gain access to the organization. This may include OSINT (Open Source Intelligence) techniques.
- Social engineering – this can include phishing emails or even a visit to the site to collect information. Social engineering tests often test the effectiveness of an organization’s level of security training.
- Assumed breach – in this type of penetration test, the tester is given a set of user credentials to access the network, and basic information about the network. From there, the tester attempts to gain additional access and move through the network. This identifies weaknesses in the network from the inside and simulates a malicious insider or an attacker who has already breached the network.
Report Expectations
The key to a quality penetration testing report is that it identifies the importance of the findings to the organization. Some vendors take an automated approach to vulnerability testing and penetration testing; this limits the usefulness of the findings.
In a quality penetration test, the tester will help identify the impact of the sum of found vulnerabilities on your organization. They will also guide you through actions you can take to remediate the findings, and deliver the report with explanations and answers to any questions you may have.
How Sedara Can Help with Quality Penetration Testing
Sedara provides External (Perimeter), Internal (Assumed Breach), Web Application, and Wireless (WiFi) testing. Our penetration tests are focused on business impact.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do. And of course if we can help you with anything directly, feel free to reach out.