Have your own staff perform regular penetration testing and then engage a specialist security service provider to perform one on a less regular basis in order to audit the effectiveness of the in-house testing.
Ask the right questions
Every enterprise should be asking the right questions of the pen testing service during the initial sourcing process. Kevin Foster, business development manager, testing services, with MTI Technology, put together this essential 'top 10' list for IT Pro readers:
1. Are you members of the CESG CHECK and CREST schemes?
2. What other security testing accreditations does your firm hold?
3. What are your tester's credentials / backgrounds?
4. How many years have your consultants been conducting pen testing?
5. Do you adhere to standard penetration testing methodologies such as OSSTM for network/servers and OWASP for web applications?
6. Please provide real-world examples of where your manual penetration testing adds value over what can be found with automated vulnerabilities analysis tools only.
7. Do you look after your own vulnerability research and tool developments?
8. Can I see the CVs of the testers that will be working on my test?
9. Can I speak to three references from my industry sector who are happy with the work you have delivered?
10. Show me your insurance certificates to cover Professional Indemnity, Employers' Liability, Public Liability
Enterprise, test yourself?
But what about adopting a DIY approach? Can the enterprise pen test itself, or is DIY pen testing never a good idea? Edd Hardy, head of security practice with CNS Hut3, thinks the subject of whether an enterprise can, or should, be pen testing itself is an interesting one. "Everyone should be doing some security testing," Hardy says. "IT and security staff should be doing basic checks, looking for the obvious and avoidable issues like default password. However, one of the key points of a pen test is that it is independent."
In other words, people should not be marking their own homework. So while enterprises can, and do, pen test themselves, it's important to add the caveat that the skills sets need to be there. "Penetration testing requires a unique set of skills that are hard to find," Daniel reminds us. "It's not as simple as understanding how to use a particular tool set but having an expert knowledge of systems, protocols, applications and programming/scripting at a very intimate level."
Sometimes, then, the best approach can be to blend the two together: have your own staff perform regular penetration testing and then engage a specialist security service provider to perform one on a less regular basis in order to audit the effectiveness of the in-house testing.
The legal perspective
What is the legal position with regards to pen testing from the perspective of both the tester and the business being tested? Is there a standard pen test contract which covers legal liability (or exclusion from the same) or should these be tailored on an individual enterprise basis? "Terms and conditions should certainly be written up that protect both the penetration testing company and their customers," Marios Kyriacou, head of security testing at Integralis, told IT pro. "Carefully written up scopes that set boundaries are very important and will help to limit any potential damage."
