If any part of your business network is connected to the Internet, then the information your business handles is within the reach of hackers and cybercriminals.
For this reason, the Payment Card Industry Data Security Standard (PCI DSS) requires that your IT network undergo a penetration test. Because the network penetration test is, at minimum, an annual event and because it involves a human resource, you want to be sure that the vendor you’re hiring is well worth its salt.
Selecting the appropriate penetration testing vendor involves asking the right questions to properly vet the security testing tools, methods and experts they employ:
1. How does the penetration test differ from other types of security testing – such as a vulnerability assessment?
Although you will already know the answer to this question, it should still be asked to ensure that the prospective vendor can articulate the differences which make penetration testing unique. Beware of any vendor that uses the words “penetration” and “scans” interchangeably, or claims that their penetration testing process is fully automated.
Penetration testing methods and techniques often differ slightly from organization to organization, but some core activities are common across all penetration tests. Even if they do not use a defined methodology, the vendor should be able to provide a straightforward outline of the steps involved and which tools are used at each step in the process.
It’s important to know that the individuals conducting your test are knowledgeable and remain up-to-date on security trends. Find out which certifications are held by the team. There are a variety of certifications which demonstrate knowledge in information security and technology in general, but penetration testers often hold certifications such as CEH, CISSP, GPEN and GWAPT.
Find out how the tester will secure your data during the test and throughout delivery. If devices will be shipped to your location or testers will be visiting with laptops, ensure that disk-based encryption is being used to protect data obtained during the test. When it’s time to deliver the final report, your tester should also offer a secure method for its delivery. Confidential data, including test reports, should never be sent via email; secure FTPs or secure file-sharing sites that use SSL should be employed.
5. How will you ensure the availability of my systems and services while the test is taking place?
Because penetration tests are actual attacks against your systems, it is impossible to guarantee uptime or availability of services throughout the test. However, most testers have some idea of whether or not a particular attack will bring down your system or “hang” a service. (You can also assist your tester by alerting them to any legacy or otherwise less-than-robust systems on your network.) The ideal penetration testing vendor will work closely with you to address operational concerns and monitor progress throughout the process.
Download our webinar replay, “Don’t Get Pwned Before You Sign: Selecting the Right Penetration Testing Service Company.”