How to Maximize the Value of Penetration Testing

2022 is shaping up as a potentially grim year for cybersecurity due to a combination of factors, including the inherent risks of remote working, the chronic shortage of IT security professionals and the spread of increasingly sophisticated threats. As such, all organizations should conduct regular network penetration tests to identify and correct any weaknesses that cybercriminals could exploit. A penetration test, or pen test, is an ethical hacking exercise in which security professionals launch simulated cyberattacks to assess technical, operational and physical security measures. The industry consensus is that organizations should conduct pen tests at least once a year, although additional tests should be run whenever there are significant changes to the IT infrastructure.

Pen testing provides valuable insight into your security posture — if done properly. However, testing can also create network performance issues and business disruptions. Because testers use the same techniques and tools employed by criminal hackers, the process can slow down the network, crash servers, corrupt files or expose data. Few organizations have the resources to conduct their own pen tests. Up-to-date, professional-grade scanning tools require a substantial investment for something that's used only occasionally. More significantly, organizations lack adequate staff to conduct comprehensive tests, evaluate the results and write reports.

Working with third-party testers who have the right training, tools and expertise will minimize those risks and produce deeper insights and more actionable recommendations. Here are some of the questions you should ask when evaluating potential providers to ensure you get the maximum value from a testing engagement:

Interested In Learning More?

What’s the scope of work?

Some providers take a narrow focus, running routine tests on certain systems or applications. Such tests are fine as part of a consistent, ongoing program, but it’s important to remember that limited scope produces limited insight. For a comprehensive look at your security posture, a broad test covering all assets, infrastructure, applications and processes should be conducted at least annually. The provider should have the ability to customize tests to meet a variety of needs.

What’s the provider’s methodology?

Look for a provider with a defined, repeatable process for testing based on industry best practices. A well-defined methodology ensures that test results are compiled systematically to illustrate strengths, weaknesses and potential compliance issues. For example, a reliable testing framework will include multiple phases such as reconnaissance, vulnerability identification, vulnerability exploitation, post-exploitation, cleanup and reporting.

What tools does the provider use?

In-house testing teams typically rely on commercial, off-the-shelf scanning tools. Some are very good, but they may require a great deal of manual input and frequent updating. A provider specializing in assessments is more likely to use multiple, professional-grade tools to provide comparative results and minimize false positives.

What are the provider’s skill sets?

You’d expect a third-party testing team to have cybersecurity expertise, but it’s important to work with people who understand all networking technologies to ensure they can perform robust tests. Look for a team with a balance of skills, experience and industry certifications such as Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE).

What documentation do you provide?

In-house teams using commercial scanning tools usually have limited reporting capabilities. Professional pen testers should deliver a detailed final report that describes strengths, weaknesses, compliance issues and specific remediation recommendations. Senior management can use the report to make decisions on policy, procedural, budget, operational and management changes.

Regular vulnerability assessments help identify and mitigate risks, increase understanding of new threats, and help ensure regulatory compliance. However, it can be a time-consuming and risky undertaking for in-house staff. DeSeMa has the expertise, experience and tools to conduct effective penetration tests that provide deep insight into your security posture.