Cybersecurity is now more than ever a business requirement in every industry. The 2015 Verizon Data Breach Report estimates 700 million compromised records in all of 2014.1 Worse yet, that number only represents known/reported breaches. A survey of attendees at the 2008 RSA Conference indicated that 89% of breaches they were aware of went unreported.2 If that number stays true today, and we extrapolate from the fact that 700,000,000 records only represents 11% of the total breached in a year,there is a seemingly impossible battle ahead for your organization’s IT department.
Let’s start with a positive assumption: your organization has taken all the right steps towards assembling a cybersecurity team. You have a strong and tested enterprise security plan (ESP)3 that clearly spells out how you plan to defend against unexpected attacks that are headed your way, like icebergs in the night. You know how to detect intruders to your network, and are aware that there are most likely avenues of entry that you are unaware of. Your cybersecurity team has purchased industry-standard hardware and software to protect against and react to security incidents. You may even have a cadre of veteran security professionals matched with junior greenhorns ready to get their hands dirty. If you’re fortunate, your technical leadership isn’t afraid to get down in the weeds with your developers and properly implement your policies and fully utilize hardware and software investments. Every organization should now view cybersecurity as an investment in the organization, its employees, its product, and its customers.
To ensure that your organization’s investment in cyber expertise is well-placed, you must check the work that has gone into the cybersecurity systems you’ve put in place. Even if you’re in an industry that is not yet legally required to complete an assessment of your cybersecurity posture, it’s vitally important to have one done by an independent third party. This is where penetration testing comes in. As security expert Bruce Schneier said, “There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you’re going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money.”4
Searching for a penetration testing consultant can be a daunting and confusing task. Many online profiles for cyber “experts” contain industry jargon and very little information, which can make the entire process cumbersome before any testing has even started. You’ll also find plenty of articles and forums arguing why one company or test is better than another. Instead of continuing those arguments, I’ll pose a question: if the goal of the test is to uncover as many vulnerabilities as possible, and the test will last for a finite amount of time, why would you ask for anything other than a clear box test, where all of the background and/or system information is provided? There is no value
or ROI in conducting a black or grey box test to emulate an uninformed attacker when most companies today will face sophisticated and dedicated attackers that are looking for more than just lulz.
What to expect:
So you’ve decided to hire an independent group to test your network. Let’s start with the bottom line: a proper penetration test is going to be expensive, somewhere in the order of $200-800 per hour.5 Depending on the size of the company you may initially deal with their sales department, which may have some technical knowledge but most likely won’t be able to respond to in-depth questions. Expect to deal directly with the technical staff at smaller boutique firms and possibly even with the individual(s) that will perform the test.
A few things to remember:
- Non-disclosure agreements (NDAs) signed by both your organization and the consultant(s)’ are standard to protect your proprietary data and the consulting firm’s methodologies.
- After a detailed interview with the consultants you’ve selected, a statement of work will describe the entire engagement process in detail, from systems to be tested to emergency points of contact. Some may even go as far as to detail how secure communications will be set up between the client and the consultant.
- Everyone expects a report at the end of the test. Many penetration testing frameworks list the standard contents of a report. You should expect a detailed vulnerabilities-and-recommendations section which outlines all the vulnerabilities found in the engagement and provides a risk-based approach for your organization and industry to remedy the discovered vulnerabilities.
- Don’t expect APT (advanced persistent threat)-level testing. No one can provide this testing in two weeks, two months, or two years. An APT operated by a nation state has the most valuable resource against your network: time.
- Some consultants may include or offer to provide additional assistance to your team to remedy any issues detailed in the report. I urge you to take them up on this offer. I’ve heard the argument before that consultants will then just find problems to fix in order to inflate their bill. But you wouldn’t bring your car to one mechanic to have them troubleshoot a problem and to another to have it repaired. The same is true of penetration testing. If the firm you’ve selected is trustworthy they should be involved in both discovery and remediation.
While penetration tests last for a finite amount of time and produce highly perishable information, they should still be a key part of your ESP. The methodologies developed and used throughout the test should be continued on a daily basis by your cybersecurity team. Many robust penetration testing frameworks exist open source and can be easily incorporated into any organization. Evaluation of your network’s security cannot stop, because attackers will not cease their attempts to breach your defenses.
Finding a company:
Now that you are ready to start looking for a company to execute a network penetration test, the first step is to simply start searching. Terms like penetration test or penetration testing company will yield many companies, some more reputable than others, that specialize in this work or offer it as part of their suite of services. There is currently no Yelp or Angie’s List for penetration testing companies and the Better Business Bureau doesn’t provide much value or insight into a firms methodologies. This is where the legwork you put into selecting a company comes in.
- Most popular search engines will return many results for companies that do this work.
- Start your search broad and then finish specific. Add keywords to your searches that are related to your industry, such as SCADA, mobile app, web app, cloud, etc.
- Browse information security and penetration testing forums. You can find recommendations as well as consultants looking to answer questions during engagements. This can give insight into a firm’s depth and breadth of skills, and can highlight how diligent they may be.
- Be cautious of sponsored links.
To ensure that your organization’s investment in cyber expertise is well-placed, you must check the work that has gone into the cybersecurity systems you’ve put in place.
Selecting a company:
Once you’ve compiled a list of companies that say they specialize in penetration testing you’ll need to narrow that down to those from which to request quotes.
There are many things you should look for when conducting your due diligence. You’ll need to dive deep into many resources to fully vet a company before paying for an engagement.
- In what country is the company headquartered? Not every company will be familiar with the laws and compliance issues of your own country. Some may even be severely limited in what they can do by their country’s laws.6
- LinkedIn can be a great resource for the verification of employee credentials. If you have industrial supervisory control and data acquisition (SCADA) systems and you find a company that claims to specialize in this area, verification is key. Learning that one of their employees is a former GE Automation employee may provide intimate knowledge of your own systems.
- Check Glassdoor.com for any negative or positive feedback from current or past employees. This can be a great window into how responsive the firm might be or provide confirmation of their technical abilities.
- Have employees spoken at a security-related conference, published security-related articles, or generally participated in the open security community as a whole? A no answer to any of these questions is not a deal breaker, but can provide more insight into the firm and the skills its employees bring to the table.
What to avoid:
- Companies that offer a “flat fee” service. These services will typically not be a full penetration test, but a vulnerability assessment done with some non-intrusive commercial and open source scanning tools.
- Compliance-focused penetration testing. While Version 3 of the Payment Card Industry (PCI) Security Standard requires penetration tests,7 compliance standards and frameworks like HIPPA, ISO 27001, or COBIT are simply a starting point. Compliance is not enough to defend your network. If being compliant meant you were done, you would not need a cybersecurity team.
- APT-style tests. APTs discovered and analyzed by numerous security firms across the globe can take months and even years to discover, and in many cases firms’ reports suggest that they have only been partially uncovered. Unless you are prepared to pay a penetration testing company to conduct infinite testing with completely free rein, there is no way to truly mimic an APT.
What to ask:
- What is the firm’s methodology? Any company should have no issue sharing this information, though they may ask for an NDA.
- What type and level of insurance do they hold? At a minimum, errors and omissions insurance should be carried by anyone conducting these tests. It may also be referenced as professional liability insurance or professional indemnity insurance.8
- What tools do they use in their testing? While they may mention open source standards like Kali, you should also expect them to employ commercial products in their testing. Your company most likely can’t justify purchasing a$100,000 exploitation framework and multiple exploit packs; the company you choose should have these types of tools at their disposal.
- Do they have the ability to mock up your most sensitive systems in a test lab, and is this service included in their price? You should never limit penetration tests to select systems, as attackers will not limit their invasion attempts either. But when all systems are included and business-critical systems are identified in the statement of work, it is paramount that a firm can mock up those systems to test against. Spray-and-pray never bodes well when it comes to exploiting critical legacy systems.
- What if the firm discovers a breach during their testing? Does their team have the skillset to investigate, or do they partner with a company that specializes in incident response? If the answer to these questions is no, you may find yourself faced with finding an incident response firm on your own and suspending your penetration testing engagement.
- “2015 Data Breach Investigations Report.” Verizon Enterprise, 2015. <http://www.verizonenterprise.com/DBIR/2015/>
- Claburn, Thomas: “Most Security Breaches Go Unreported.” Information Week, July 2008<http://www.informationweek.com/security/attacks/most-security-breaches-go-unreported/209901208>
- “Best Practices for Enterprise Security.” Microsoft Developer Network. <https://msdn.microsoft.com/en-us/library/cc750076.aspx>
- Schneier, Bruce: “Is Penetration Testing Worth it?” Schneier on Security, May 2007.<https://www.schneier.com/blog/archives/2007/05/is_penetration.html>
- Desautels, Adriel: “How much should you spend on penetration testing services?” Netragard, 2014 <https://www.netragard.com/how-much-should-you-spend-on-penetration-testing-services>
- Higgins, Kelly Jackson: “Another Researcher Hit With Threat Of German Anti-Hacking Law.” Darkreading.com, April 2011 <http://www.darkreading.com/vulnerability/another-researcher-hit-with-threat-of-ge/229402356>
- Parizo, Eric: “PCI 3.0: New requirements cover pen testing, service providers.” TechTarget.com, November 2013<http://searchsecurity.techtarget.com/news/2240208619/PCI-30-New-requirements-cover-pen-testing-service-providers>
- Wertz, Glenda: “The Ins and Outs of Errors and Omissions Insurance.” InsuranceJournal.com, July 2004 <http://www.insurancejournal.com/magazines/features/2004/07/19/44745.htm>