Pen testing: How to ensure effective testing

• Article 11 of 33
• SC Magazine, August 2007
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

Determining whether to hire a pen tester and then getting the board to sign off the expenditure is usually a matter of risk analysis, performed either by a dedicated department or by the information security or IT manager. If there's a substantial risk and a breach would incur a considerable cost to the company, your board is more likely to support pen testing. If the senior executives are unreceptive, it may even be possible to bring in a pen tester to explain the potential issues to them.

“It's like paying for insurance,” says Ron Meyran, senior product manager at Radware. “Unless something happens, they won't understand why they're paying for it.”

5. Don't forget compliance
If you process or store credit card information, you will need to abide by the payment card industry's (PCI) data security requirements, which usually require independent verification of compliance at regular intervals, determined by your company's PCI classification. Most financial services organisations are bound by similar regulations and, because of their higher profile, tend to conduct their own penetration tests as well as use the services of third-party testers to check their systems.

However, small companies that don't host their own systems will have few reasons to spend the thousands of pounds required by a pen tester.

6. Choosing the right partner
Picking a pen tester is far from easy, as hiring someone to break into your network obviously means opening a can of worms. Being able to trust the third party is paramount; knowing it has the skilled people to find vulnerabilities is another critical concern. You don't want to end up paying a large fee to someone for simply running some open-source vulnerability scanners they have downloaded off the internet.

You should also get references from the company, find out how long it has been trading and obtain their consultants' CVs. Use word of mouth: look on forums, check with your industry contracts or any consultants you use and take advantage of any other mechanisms you might have for checking the trustworthiness of a firm you are thinking of using.

Ask testers about their methodology: at the very least, they should be aware of and exceed the Open Source Security Testing Methodology Manual (OSSTMM) and Open Web Application Security Project (OWASP) guidelines. Since these are open source, you can download them from various sources and use them to check the work of any pen tester you hire or follow them as guidelines if you want to undertake any pen testing yourself.

Nick Fisher, a consultant at Unisys, also recommends checking with the Government's computer services group, not just for security information, but for advice about what should be in any contract you draw up with the pen testing company. This will help ensure you get the most out of the deal and are backed up legally in case things go wrong.

7. The benefits of accreditation
Looking for some sort of accreditation is one way of establishing trust. At a basic level, any pen tester who wants to provide verification services to companies trying to prove PCI compliance will need to have been certified themselves. However, the PCI regulations are by no means a comprehensive description of full infrastructure security, and the accreditation scheme is little more than proof that the firm is capable of doing the job, not that it is good at it. For a fuller pen test, other certifications will be necessary.

The CESG IT Health Check (CHECK) accreditation scheme created by the Government for pen testers in the public sector is one such assurance. It comes in levels ranging from red for partial to green for full accreditation; although there will be little difference between the levels for most organisations in terms of the pen tester's capabilities. Although CHECK has almost industry-wide backing, the Government has been redesigning the testing scheme for several months, meaning that newer companies have been unable to get accredited.

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages