Penetration testing: an enterprise guide

Davey Winder investigates the role of penetration testing within the enterprise: What is it and why do you need it?

Have your own staff perform regular penetration testing and then engage a specialist security service provider to perform one on a less regular basis in order to audit the effectiveness of the in-house testing.

Ask the right questions

Every enterprise should be asking the right questions of the pen testing service during the initial sourcing process. Kevin Foster, business development manager, testing services, with MTI Technology, put together this essential 'top 10' list for IT Pro readers:

1.     Are you members of the CESG CHECK and CREST schemes?

2.     What other security testing accreditations does your firm hold?

3.     What are your tester's credentials / backgrounds?

4.     How many years have your consultants been conducting pen testing?

5.     Do you adhere to standard penetration testing methodologies such as OSSTM for network/servers and OWASP for web applications?

6.     Please provide real-world examples of where your manual penetration testing adds value over what can be found with automated vulnerabilities analysis tools only.

7.     Do you look after your own vulnerability research and tool developments?

8.     Can I see the CVs of the testers that will be working on my test?

9.     Can I speak to three references from my industry sector who are happy with the work you have delivered?

10. Show me your insurance certificates to cover Professional Indemnity, Employers' Liability, Public Liability

Enterprise, test yourself?

But what about adopting a DIY approach? Can the enterprise pen test itself, or is DIY pen testing never a good idea? Edd Hardy, head of security practice with CNS Hut3, thinks the subject of whether an enterprise can, or should, be pen testing itself is an interesting one. "Everyone should be doing some security testing," Hardy says. "IT and security staff should be doing basic checks, looking for the obvious and avoidable issues like default password. However, one of the key points of a pen test is that it is independent."

In other words, people should not be marking their own homework. So while enterprises can, and do, pen test themselves, it's important to add the caveat that the skills sets need to be there. "Penetration testing requires a unique set of skills that are hard to find," Daniel reminds us. "It's not as simple as understanding how to use a particular tool set but having an expert knowledge of systems, protocols, applications and programming/scripting at a very intimate level."

Sometimes, then, the best approach can be to blend the two together: have your own staff perform regular penetration testing and then engage a specialist security service provider to perform one on a less regular basis in order to audit the effectiveness of the in-house testing.

The legal perspective

What is the legal position with regards to pen testing from the perspective of both the tester and the business being tested? Is there a standard pen test contract which covers legal liability (or exclusion from the same) or should these be tailored on an individual enterprise basis? "Terms and conditions should certainly be written up that protect both the penetration testing company and their customers," Marios Kyriacou, head of security testing at Integralis, told IT pro. "Carefully written up scopes that set boundaries are very important and will help to limit any potential damage."

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Most Popular

46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020