In the brave new world of cybersecurity, penetration testing has become a buzzword (or phrase, if you’re picky). Unfortunately, as in many evolving industries, misinformation is common, and terms can get confused — often at the expense of the consumer.
Penetration testing is among those muddled concepts, which is problematic because it’s such an important tool — particularly given today’s rising threats. To be clear, a true penetration test involves a skilled cybersecurity expert actively attempting to infiltrate your defenses. To help you cut through the jargon, we’ve compiled a buyers’ guide for penetration testing. Here are five key questions to consider:
1. Do I actually need a penetration test?
This is key. Some companies seek out penetration tests because they’ve heard the cybersecurity buzzwords. However, before undertaking — and paying for — such a test, they should first figure out if they’re ready.
Prior to seeking out a penetration test, a company should evaluate its security measures — or engage help to do so. Make sure security tools are being used correctly; technology has all current updates; access to functions, ports, protocols, and services is appropriately limited; and information flow is properly controlled.
If a company hasn’t implemented an array of basic cybersecurity measures, penetrating its defenses is a given. Only after cybersecurity measures are properly implemented can a penetration test yield valuable, specific insights. If you haven’t completed this initial step in lieu of a penetration test, consider having a maturity / risk assessment completed instead.
2. Is this test significantly cheaper than other quotes I’ve received?
Price is an easy red flag. As with many important services, you get what you pay for. Some cybersecurity firms advertise low rates, but a true penetration test is not going to come at a bargain-basement price — and a worthless “penetration test” amounts to a waste of money. In today’s world of ever-changing threats, you need a company and penetration tester who is worth your security dollars. Noticeably cheap options may rely on automation, inexperienced testers, or other shortcuts that leave you with a false sense of security.
3. Who will perform this penetration test?
It’s vital to know the qualifications of the team handling your penetration test. You want an experienced cybersecurity expert with a thorough knowledge of hacking and of current threats. Take Digital Silence, for example. Our people are leaders in the field, having presented research at major security conferences such as DEF CON, BlackHat, DerbyCon, SecTOR, GRRcon, and 44con.
A “penetration test” performed by a computer program does NOT yield the same results and will not count as a penetration test if you end up liable for a breach. A “penetration test” performed by a non-cybersecurity firm can also be hit or miss, as frequently these firms outsource these tests to offshore or other third parties, and have a difficult time explaining the process of the work that was completed. A reputable cybersecurity expert knows how malicious actors can exploit weaknesses across the breadth of your security system, such as by combining various conditions, even using your applications logic against you, to punch holes in your defenses. He or she would immediately notice such vulnerabilities. That type of real-world situation often would sound no alarm bells for automated tests, outsourced, and inexperienced testers.
4. Does the penetration tester know my industry?
Both requirements and threats can differ by industry, and a grasp of that can truly differentiate a quality penetration test. A penetration tester who seeks to infiltrate your systems based on a background understanding of how bad guys are trying to attack your peers will be able to offer much more relevant results and insights. Likewise, it helps to know that a penetration tester understands whatever rules and regulations apply to your industry (there are more every day) and can let you know if you don’t align with them.
That’s actually one of Digital Silence’s specialties. Our breadth of industry knowledge helps us tailor your defenses to your specific needs.
5. What will be in my final report? And will it be in language I can understand?
When you’re busy running a business, you need a report that distills key information and suggests plans of action — preferably in terms of which steps will provide the most bang for your cybersecurity buck. In this industry, there are a couple of bad habits you may run into: using the crutch of tech jargon instead of appropriately explaining the issues, and listing every potential flaw with little analysis of which issues are the most vital to address or even how to address them.
The report you receive at the end of a qualified penetration test identifies each specific attack path, breaking them down into steps and suggesting ways attacks could be countered.
If you have relationships with other customers of a cybersecurity firm you’re considering, ask about their results. A layperson’s impression can offer valuable insights about a company, the quality of work that they perform, and how useful the engagement was overall.
Wrapping it up
Ultimately, these key questions help you determine whether you’re getting a true penetration test. Alternatives — such as vulnerability scans/assessments, terms that often are mistakenly used interchangeably with penetration test (see our white paper) — can be useful tools, but they are not the same. Misunderstanding that can be dangerous.
Digital Silence as a world-class boutique cybersecurity firm offers the rare combination of cybersecurity expertise and business savvy. We’ve got a depth of cybersecurity expertise plus experience in a variety of industries, with many of us having been on the consumer side of the table, so we know what you need and what may drive you crazy about our industry. If you need a true cybersecurity partner, reach us here.