Most businesses know they need a penetration test provider, but they don’t know how to hire someone to do this for them. Here are a few questions you should ask a potential provider as well as what answers you should expect.
How Does Pen Testing Differ From Other Types Of Security Testing?
Penetration testing is manual testing that attempts to break your company’s security system and infrastructure. In essence, it is trying to find vulnerabilities and exploit them so that you know what you need to fix.
Beware of any company that uses “scan” and “penetration testing” interchangeably. They are not the same thing. If you want to learn more about pen testing, visit this page.
What Is Your Process For Performing The Test?
Every pentest service provider should be able to tell you how they are performing the test. Methods and techniques may differ slightly from organization to organization, but many core activities are common across all tests.
Even if a provider does not use a defined methodology, they should be able to provide a fairly straightforward outline of what’s involved and what tools are used at each stage in the testing process.
Do Your Testers Hold Industry Standard Certifications?
All testers should hold certificates and be up-to-date on all education and training in the IT security industry. If you ask, they should be able to tell you what certs the testers hold, and when they were last updated.
Penetration testers may hold any number of certifications, but they commonly have CEH, CISSP, GPEN, and GWAPT. Pay special attention to skills-based certifications like OSCP. They are becoming highly prized in the security community.
How Will You Protect My Data?
Testers should have protocols for protecting and securing your data during the test. If devices will be shipped to your location, or laptops will be used in the test, testers should use disk-based encryption to protect sensitive data that’s captured during the test.
When it’s time to deliver the testing report, you should receive it via a secure method. Confidential data should never be sent over email. The tester should know that sensitive information should be passed over secure FTP or secure file-sharing sites that use SSL.
How Will You Ensure The Availability Of My Systems And Services During Testing?
Most service providers can’t guarantee uptime for services or applications. This is because they may need to take some critical systems offline during the test, or the test might bring down some systems.
Most testers, however, do have some idea of whether a particular attack will bring down your system or cause your service to “hang.” You can alert the testers to any legacy systems that might not be as robust, or request that your system be tested in “sections” so that the entire system doesn’t go down all at once.
The ideal penetration testing company will work closely with you to address any operational concerns and monitor progress throughout the testing process.
Robert Parker works as a cyber-security consultant and understands the requirements needed when it comes to penetration testing. He likes to share his insights on a variety of IT topics online and is a regular contributor for a number of different websites.