5 Questions to Ask a Prospective Penetration Test Company
The purpose of this article is empower you to ask the right questions of a company that you are considering hiring for a penetration test.
Unfortunately, there are a lot of companies and people that offer penetration testing, but in reality, they often do little more than vulnerability scanning.
On one hand, you may get “rock star” penetration testers that are experts in some aspects of penetration testing and security but are not well rounded enough to give you a complete picture of IT risk. These maybe “tool gurus” or even hardcore Win32 security researchers – specialists in what they do but their knowledge isn’t broad enough.
On the other hand, you may get inexperienced pen testers that cause major service disruptions or outages that are expensive to fix. We have first-hand knowledge of a story where an inept consultant ran a scanner in an Industrial Control System (ICS) environment and caused major damage to a mainframe. It took the organization a week to restore the mainframe from tape backup and to normal operation. We had to come in the following year and conduct a penetration test – imagine how fun it was to explain that we wouldn’t kill their system.
Aside from wasting time, money, and causing damage or impacting your mission, the primary problem with a bad penetration test is that is can leave you with a false sense of security and and incomplete picture of risk.
Check out this post for a list of essential skills of a competent penetration tester.
1) Ask for a Sample Report
Review a sample report and make sure it’s not just a regurgitated vulnerability scan report. A quality penetration test report should contain a lengthy narrative section that explains:
- the overall results
- the path followed to achieve those results
- the overall impact or risk to the organization or business
- recommendations on how to mitigate the risk
- failed attack paths
- a list of things the organization is doing correctly
- recommendations for strengthening the security
- specific findings or vulnerabilities
- the impact of the vulnerability to the IT asset, system, network and business
- the methodology and tools used
2) Ask for References
Just like when you purchase anything of value, we recommend that you ask for references from past clients. An experienced penetration testing company will have many references and should have a list of clients willing to act as references.
Get specific when talking to the references. If you are considering having web application testing performed, make sure you ask the reference if the testing company performed this type of services for them.
3) Ask Technical Questions
We recommend that you gather your best and brightest technical personnel and have them meet with the penetration testing team. The purpose of the meeting is to verify that the pen testing team has the right technical competence for the job. So ask questions.
Ask questions that test the team’s breadth and depth of technical knowledge. These don’t need to be security related. In fact, they probably shouldn’t be security related. A pen tester should know the answers to security questions, of course, but they should also know a lot of other things as well.
Here are some examples:
- Describe the TCP 3-way handshake
- What port does IMAP use?
- What service uses UDP port 161?
- What is Apache?
- How does DNS work?
- Who was Dennis Ritchie?
- What is django?
- What is the Solaris package management tool?
- What is stateful packet inspection?
- What is Radius, or TACACS?
- What does RTFM mean?
- When doing network testing, how do you know that you’ve found all my assets?
- How does SSL work?
A word of warning – you cannot expect everyone to know the answers to every question, especially the more product specific or obscure questions. The end result of the Q&A session should be that you feel the test team is technically competent and honest.
A side benefit to this is that if your technical team respects the testing team at a technical level, they’ll be more willing to accept their recommendations, and it will ensure a smoother penetration test.
4) Ask for Complete Resumes
You should peruse the backgrounds and history of the personnel, and even verify some of the information, such as certifications listed on the penetration tester’s resumes.
You should feel free to conduct a background check or otherwise validate the penetration tester is trustworthy and competent. If the company is unwilling to provide Social Security Numbers (SSN) or detailed information on their personnel, that’s a red flag.
5) Ask for a Certificate of Insurance
Every penetration testing company or any individual conducting professional penetration testing should have at a minimum, general business liability insurance. They are in the risk management field, so don’t you think they should know the risks of their business and protect themselves against this risk?
In Summary
Aside from placing a check in the box for compliance, the goal of a penetration test is to accurately assess risk at multiple levels – asset, data, organizational. Without accuracy, the assessment is basically worthless. We hope that this article will assist you in making sure you get a high-quality penetration test.