Penetration testing: an enterprise guide

Davey Winder investigates the role of penetration testing within the enterprise: What is it and why do you need it?

Have your own staff perform regular penetration testing and then engage a specialist security service provider to perform one on a less regular basis in order to audit the effectiveness of the in-house testing.

Ask the right questions

Every enterprise should be asking the right questions of the pen testing service during the initial sourcing process. Kevin Foster, business development manager, testing services, with MTI Technology, put together this essential 'top 10' list for IT Pro readers:

1.     Are you members of the CESG CHECK and CREST schemes?

Advertisement
Advertisement - Article continues below

2.     What other security testing accreditations does your firm hold?

3.     What are your tester's credentials / backgrounds?

4.     How many years have your consultants been conducting pen testing?

5.     Do you adhere to standard penetration testing methodologies such as OSSTM for network/servers and OWASP for web applications?

6.     Please provide real-world examples of where your manual penetration testing adds value over what can be found with automated vulnerabilities analysis tools only.

7.     Do you look after your own vulnerability research and tool developments?

8.     Can I see the CVs of the testers that will be working on my test?

9.     Can I speak to three references from my industry sector who are happy with the work you have delivered?

10. Show me your insurance certificates to cover Professional Indemnity, Employers' Liability, Public Liability

Enterprise, test yourself?

Advertisement
Advertisement - Article continues below

But what about adopting a DIY approach? Can the enterprise pen test itself, or is DIY pen testing never a good idea? Edd Hardy, head of security practice with CNS Hut3, thinks the subject of whether an enterprise can, or should, be pen testing itself is an interesting one. "Everyone should be doing some security testing," Hardy says. "IT and security staff should be doing basic checks, looking for the obvious and avoidable issues like default password. However, one of the key points of a pen test is that it is independent."

In other words, people should not be marking their own homework. So while enterprises can, and do, pen test themselves, it's important to add the caveat that the skills sets need to be there. "Penetration testing requires a unique set of skills that are hard to find," Daniel reminds us. "It's not as simple as understanding how to use a particular tool set but having an expert knowledge of systems, protocols, applications and programming/scripting at a very intimate level."

Sometimes, then, the best approach can be to blend the two together: have your own staff perform regular penetration testing and then engage a specialist security service provider to perform one on a less regular basis in order to audit the effectiveness of the in-house testing.

The legal perspective

What is the legal position with regards to pen testing from the perspective of both the tester and the business being tested? Is there a standard pen test contract which covers legal liability (or exclusion from the same) or should these be tailored on an individual enterprise basis? "Terms and conditions should certainly be written up that protect both the penetration testing company and their customers," Marios Kyriacou, head of security testing at Integralis, told IT pro. "Carefully written up scopes that set boundaries are very important and will help to limit any potential damage."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019