Penetration testing is becoming a staple assessment for many organizations as more regulations are requiring third-party assessments and organizations are performing their own due diligence reviews. Unfortunately, penetration testing is becoming a bit of a commoditized service as more and more organizations enter this space. The price range for these services varies wildly and consequently so does the quality. I recently saw five different firms bid on the same project. The prices ranged from $15,000 to $40,000. Cost plays a significant role in the decision-making process, but I encourage you to thoroughly evaluate the quality of the work being proposed. Not all penetration tests are created equal and you should look at the following to ensure you are getting the well-rounded assessment you deserve and are paying for:
1. Reconnaissance – In the interest of time, many firms will consider a port sweep reconnaissance and skip over passive forms of reconnaissance. Passive reconnaissance is pertinent to future phases of the assessment and to identify additional risks facing the organization.
2. Suite of tools used – Penetration testing is so much more than simply running your favorite vulnerability scanner. The specific tool used to identify and exploit each vulnerability should be identified. While Metasploit is a great tool and is useful in many circumstances (no need to reinvent the wheel, right?) the list of tools should include more than just NMAP, Metasploit, and Nessus.
3. Scope precautions – Take the time to properly scope your penetration test and try to prevent limiting tests over systems with sensitive data. Limitations imposed by the organization or otherwise, should be clearly outlined within the report. Vulnerabilities may go undiscovered if certain tests are not performed and this should be clearly called out so not to provide a false sense of security.
4. Metrics – In our experience, we have found that management deals in numbers. The ability to tie the results of a penetration test to specific metrics enables the penetration testing team to more effectively communicate with management. Bonus points if the penetration testing team can compare the results to industry peers and provide a comparative metric.
5. Collaboration and communication – At the end of the day, the penetration testing team is a partner and an ally seeking to strengthen your organization’s security by identifying exploits before they are exploited by a malicious entity. This is a difficult balance to achieve, but the penetration testing team should work alongside the organization in support of this common goal. This may mean additional meetings, additional deliverables, and transparency between the two teams.
6. Valuable report format – From time to time, I get to work on a risk assessment or review a penetration test report written by another firm. Sometimes they are great! Other times, they are not. I am astonished by the number of firms who deliver a clunky report that is not only difficult to read and understand but difficult to work with. The report must be usable.
7. Multiple deliverables – Ensure the deliverable package meets your unique needs. This may mean deliverables are customized for easy import into Governance, Risk, and Compliance (GRC) tools or additional deliverables are created (within reason). The deliverables package should include all supporting evidence (screenshots, tool outputs, recordings, etc.) from the assessment, time with the penetration testing team to inquire into specific vulnerabilities, and an executive summary explaining the results at a high-level for management teams and Board members.
8. Narrative – This SHOULD be a no-brainer, but the report must accurately depict the assessment and tests performed with enough detail that a reasonably, well-versed security engineer could re-create the assessments as needed. Anything less is simply a vulnerability scan.
9. Actionable recommendations – The recommendations created as a result of the penetration test should be direct and actionable and maybe even provide a way to validate remediation efforts internally. Where recommendations may impact business operations, the penetration testing team should be able to provide work around recommendations.
10. Follow a standard methodology – Testing frameworks and methodologies exist for a reason; they work and are repeatable. Like the Scientific Theory or Troubleshooting Theory, there must be a logical sequence of events to follow to identify vulnerabilities. Not following a published framework or methodology is like throwing darts at a wall and seeing where they stick. Organizations can have a proprietary or mesh methodology, so long as they are following a methodology.
And as a bonus:
11. Risk ranking model – Risk ratings can be a hotly contested subject, Executives and Board Members are more heavily invested in security than in the past and these risk ratings may drive individual or department performance reviews and budgets. There are many ways to calculate and assign risk levels to vulnerabilities, but we recommend using an objective and repeatable method. This will provide proper forethought into the vulnerability as well as justification for how that risk was concluded. This can be proprietary formula or an open formula such as the Common Vulnerability Scoring System (CVSS) or Open Web Application Security Project (OWASP) risk calculator.
Budgets are tight and security budgets are even tighter. Board members and management are starting to take security seriously. Don’t waste your hard-fought budget on a sub-par assessment.
Brandyn Fisher, CISSP, CNDA, PenTest+, CHFI – Information Systems Security Manager, The Mako Group