If there’s a universal rule for information security, it’s probably the Inverse Golden Rule: “Do unto yourself before others do unto you.” To that end, the term “penetration testing” refers to a comprehensive and systematic attempt to identify and exploit vulnerabilities in systems and networks by mounting attacks from outside system or network boundaries.
Lately, there’s been a lot of discussion and controversy in the IT industry surrounding the pros and cons of hiring reformed hackers to conduct penetration tests. No organization should voluntarily expose itself to attack—which is what penetration testing does—without protecting itself from possible fallout. At a bare minimum, no organization should hire anyone to conduct penetration testing without imposing legal protection from nondisclosure or confidentiality agreements to safeguard what’s learned during such testing from public disclosure or misuse in the wrong hands.
In fact, it’s best to hire a reputable firm instead of an individual for penetration testing. Reputable firms routinely procure indemnity insurance to demonstrate their seriousness about keeping sensitive information private and confidential. To be most effective, penetration testing must be repeated at regular intervals and when systems or networks are changed or updated.
How should penetration testing be applied?
It’s important to understand that penetration testing may be applied in various ways. Though it’s typically used as a security assessment, it can also check the security posture and incident-handling skills and routines within an organization.
It’s possible to conduct penetration testing with in-house staff or to hire out-of-house experts for the job. But most experts believe that hiring outsiders produces better results because it models the real thing more effectively and because outsiders are less likely to consider in-house politics or problems. When you hire outsiders, the results:
- Provide a double-check against in-house security audits.
- Can be cited as “objective proof” of security for e-commerce, transaction processing, or other services that may benefit from such warrants.
- Provide a way to evaluate an organization’s overall security posture, policies, practices, and procedures.
- Relieve in-house staff of the burden of such testing, which is time-consuming and labor-intensive.
Selecting a vendor
Here are the criteria that you should use to select a suitable penetration-testing vendor:
- Confidentiality: Does the vendor explicitly state it will preserve and protect the information it develops during testing from disclosure to any other parties?
- Liability/indemnification: Does the vendor carry sufficient liability insurance or bonding to cover any losses associated with disclosure of sensitive or proprietary information resulting from penetration testing or from damages incurred during such testing?
- Cutout identification: When penetration testing is under way, testers should work under an in-house staff member designated as a monitor/manager. This person must be kept informed about activities and can intercede, suspend, or stop testing at any time. This is something that the vendor should ask for without coaching or prompting to that effect. If a vendor doesn’t mention this role and request that an in-house staff member be designated to play this role, there’s too much potential for harm to occur, and you should look for a more knowledgeable vendor.
- Qualifications: Vendor personnel must have strong technical credentials, and the vendor should be able to cite positive evaluations, provide reference accounts, and show strong familiarity with a hiring organization’s security situation.
- Security policy: Any competent vendor will request an opportunity to review the hiring organization’s security policy to help it understand prevailing security standards, practices, procedures—and potential weaknesses.
- Targets and “inside info”: Hiring companies must balance how much they tell penetration testers against how much time, effort, and expense testing takes. Sometimes, testing concludes more quickly and cheaply if testers are aware of specific information (such as IP address ranges, system footprinting data, telephone extensions, etc.). Likewise, critical production systems declared “off limits” during testing must be identified.
- Security savvy: Hiring organizations should ask vendors to describe their testing techniques, tools, and processes. Only those vendors who understand footprinting, enumeration, vulnerabilities, and exploits are worth hiring.
- Reporting results: It’s essential to agree in writing what reports and recommendations a vendor will provide as the results of its work. Ideally, you should be able to pick from a set of examples from the vendor and to work out detailed specs for results. Also, you should request copies of all logs, reports, and other raw data collected during the testing process.
Beyond these items, normal rules of business engagement also apply. This means that vendors should be bound to a specific contract with terms and conditions that specify a statement of work, causes for termination, confidentiality and liability, indemnification, and so forth. Armed with this information, as well as a concerted follow-up to ensure that promises and delivery coincide, penetration testing offers useful and informative (if sometimes scary) results.