Question

Penetration testing (or pentesting) is an important part of keeping networks and systems safe from those who would attack them. However, because similar methods are used by attackers and penetration testers alike, some people and organizations may be apprehensive about unleashing those methods on their own networks.

Instructions for Main Post

Place yourself in the position of someone responsible for hiring a penetration testing firm to test the security of your systems.

Your initial post should include two parts:

1. Your main concerns about the process and considerations you would need to take into account before commissioning a pentest.
2. Information you found during researching how to best address your concerns. At a minimum this should include:

• Qualifications or certifications that pentesters should have
• Questions or surveys you can provide to prospective professionals/firms as part of the selection process
• Industry guidance on how to engage and conduct a penetration test

Answer 1

Solutions:

A. Concerns about the process and considerations that needs to be taken into account before commissioning a pentest:

1. Definition of target environment    • Which systems are in and out of scope    • The testing approach being adopted (eg. black, white or grey box)    • Types of test that are prohibited (eg. ‘denial of service’ type testing)    • Where the testing team will need to be in order to conduct the testing (eg. on the customer’s site or at the test supplier’s premises)    • Approvals required for the testing to go ahead.

2. Network or web application firewalls deployed.
• Who will be leading the testing engagement    • The names of testers that will be used for the testing engagement, with details about their roles, skills, experience, qualifications and backgrounds    • The number of days required – and the days when testing will take place    • Defined testing times and locations.

3. Report requirements • The format of the test report (template often used)    • When the test report will be delivered (not later than a few days after completion of the test)    • How the test report will be delivered (electronic and/or physical).

Communication processes    • Information and resources that the testers will need prior to testing    • How affected third parties will be informed and consulted in relation to testing activities • How testing start-up and close-down will be covered    • Regular (often daily) communications (eg. teleconferences or meetings)    • Approvals required for various elements of the testing that will be going ahead.

4. Liabilities of both parties    • Steps required by both parties should problems (eg. slippage) arise    • Details of liability (indemnity) insurance held by the testing supplier.

5. Follow up activities    • Presentation of key findings and recommendations to senior management    • Any re-testing needed once mitigations have been made for the discovered vulnerabilities required by both parties should problems (eg. slippage) arise.   

B. Information you found during researching how to best address your concerns:

1a. Qualification:

Seeking applicants who have at least a bachelor's degree in a relevant field, such as computer science. Other degree fields include computer engineering or information systems. Applicants must be experienced with Unix or Linux operating systems so pursuing opportunities to learn about and work with a wide range of operating systems, programming languages and security software is recommended.

1b. Certification

Certified Information Systems Security Professional (CISSP) certification    Ethical Hacker Certification. Other security certifications or IT certifications -> Global Information Assurance Certification (GIAC) or Certified Information System Auditor (CISA).

1c. Required Skills

Penetration testers need to have excellent computer skills and familiarity with computer hardware and computer network equipment, as well as computer programming skills. Strong written communication skills. Ability to pay careful attention to details and have problem-solving skills to accurately assess the effectiveness of security systems. Excellent analytical skills.

2a. Questions to prospective professionals/firms as part of the selection process:

-> How does the penetration test differ from other types of security testing – such as a vulnerability assessment? -->. What is your process for performing the penetration test? -> Do your testers hold industry standard certifications?    -> How will you protect my data during and after testing?    -> How will you ensure the availability of my systems and services while the test is taking place?

2b. Industry guidance on how to engage and conduct a penetration test

-> Maintain a technical security assurance framework -> Establish a penetration testing governance structure -> Evaluate drivers for conducting penetration tests -> Identify target environments
->  Define the purpose of the penetration tests
->  Produce requirements specifications
-> Select appropriate suppliers