Penetration testing: an enterprise guide
Davey Winder investigates the role of penetration testing within the enterprise: What is it and why do you need it?
Ask the right questions
Every enterprise should be asking the right questions of the pen testing service during the initial sourcing process. Kevin Foster, business development manager, testing services, with MTI Technology, put together this essential 'top 10' list for IT Pro readers:
1. Are you members of the CESG CHECK and CREST schemes?
2. What other security testing accreditations does your firm hold?
3. What are your tester's credentials / backgrounds?
4. How many years have your consultants been conducting pen testing?
5. Do you adhere to standard penetration testing methodologies such as OSSTM for network/servers and OWASP for web applications?
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
6. Please provide real-world examples of where your manual penetration testing adds value over what can be found with automated vulnerabilities analysis tools only.
7. Do you look after your own vulnerability research and tool developments?
8. Can I see the CVs of the testers that will be working on my test?
9. Can I speak to three references from my industry sector who are happy with the work you have delivered?
10. Show me your insurance certificates to cover Professional Indemnity, Employers' Liability, Public Liability
Enterprise, test yourself?
But what about adopting a DIY approach? Can the enterprise pen test itself, or is DIY pen testing never a good idea? Edd Hardy, head of security practice with CNS Hut3, thinks the subject of whether an enterprise can, or should, be pen testing itself is an interesting one. "Everyone should be doing some security testing," Hardy says. "IT and security staff should be doing basic checks, looking for the obvious and avoidable issues like default password. However, one of the key points of a pen test is that it is independent."
In other words, people should not be marking their own homework. So while enterprises can, and do, pen test themselves, it's important to add the caveat that the skills sets need to be there. "Penetration testing requires a unique set of skills that are hard to find," Daniel reminds us. "It's not as simple as understanding how to use a particular tool set but having an expert knowledge of systems, protocols, applications and programming/scripting at a very intimate level."
Sometimes, then, the best approach can be to blend the two together: have your own staff perform regular penetration testing and then engage a specialist security service provider to perform one on a less regular basis in order to audit the effectiveness of the in-house testing.
The legal perspective
What is the legal position with regards to pen testing from the perspective of both the tester and the business being tested? Is there a standard pen test contract which covers legal liability (or exclusion from the same) or should these be tailored on an individual enterprise basis? "Terms and conditions should certainly be written up that protect both the penetration testing company and their customers," Marios Kyriacou, head of security testing at Integralis, told IT pro. "Carefully written up scopes that set boundaries are very important and will help to limit any potential damage."
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.