You’ve heard about penetration testing, but you’re not sure what to ask or where to start. Here are some of the questions you should ask, and the answers you should get from a testing company.
What Is A Penetration test?
Logical question. But, not too many people ask this one. You should. A pen test is an attempt to penetrate your security by testing and evaluating its weaknesses. Testers do this by exploiting vulnerabilities in the server, networking system, and your employees.
Some tests include remote, onsite, and social engineering attacks.
The five most common phases of any test include recon, scanning, gaining access, maintaining access, and covering tracks. If a tester can get in and out of your network without being detected, then your system is very vulnerable.
What Needs To Be Tested?
Most companies need to be pen tested periodically, and especially if they host customer financial or health data. Sec-Tec penetration testing handles this type of testing, and they regularly consult with companies concerning what should be tested and how often.
The general rule of thumb is that you should be tested if:
- You maintain an application.
- You update your website or make material changes to the underlying structure or framework.
- You introduce a new internal software application or customer-facing app.
What’s The Difference Between A BlackBox and WhiteBox Test?
Whitebox testing is when you provide the pen tester with network credentials and the tester evaluates the system. Think of this as a “sandbox.” The tester gets access to your network and then tries to make an evaluation from the inside.
The network is mapped out for the tester and no reconnaissance is necessary. These tests tend to take less time and are more efficient.
Blackbox testing means that the tester has no knowledge of your system and must act as a “hacker,” attempting to gain access by force. A pen tester must spend time figuring out how they could breach your system through exploits or vulnerabilities.
These tests are designed to duplicate how a real hacker might attack your company’s systems.
What Will A Pen Test Do To My Network?
Sometimes a pen tester will cause network outages, so ask about this and be prepared for it. Keep your staff informed of when the test will take place take make appropriate measures so that your staff can continue to work normally (or as normally as can be expected).
Who Will Do The Testing?
Ask your provider before they send out a tester. All pen testers should have had extensive background screening – a criminal background check. They should also be certified to perform penetration testing. Certifications like CEH (Certified Ethical Hacker) are important.
And, if your business falls under c, PCI, DSS, SOX, GLBA, or FFIEC or any other compliances, make sure your tester can operate under those conditions. You are required to have a third party test annually.
Not all penetration testing companies can test for vulnerabilities, and recommend fixes, that are required under HIPAA and other regulations. So, it pays to ask before you spend the money.
[su_box title=”About David Wray” style=”noise” box_color=”#336588″]
David Wray is a certified TigerScheme SST, with twenty years experience in technical Internet security. Beginning his career with the Peapod Group as a Firewall Engineer, David went on to found Sec-Tec Ltd in 2000, which specialises in penetration testing and technical assessment services. David is a guest expert on LBC radio, and can often be heard providing insight into information security news and current affairs.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.