Cybercriminals and penetration testing companies have a lot in common. Both search for vulnerabilities in your infrastructure; however, whilst the former may be looking to exploit these vulnerabilities in a way that would be detrimental to your business, the aim of the latter is to support you to better protect your company and its customers.
So how do you choose a penetration testing company that will support you in protecting your data in a relevant and meaningful way?
Firstly – establish a company’s, and their testers, credentials. There are many good qualifications to look out for including CHECK team leader, Offensive Security Certified Professional or Certified Ethical Hacker. It may also be useful to look for feedback from previous customers.
Secondly – be clear about the scope of the penetration testing you are looking for. It may be compliance driven; for example, if you handle customer credit card information there is defined methodology for testing as determined by the PCI DSS (Payment Card Industry Data Security Standard). Alternatively, there may be less well-defined reasons behind your decision to undertake a penetration test in which case a good testing company should be able to work with you to define the scope of the test to fit the needs of your business.
Consideration should be given to whether to restrict your penetration test to the technical side of things (i.e. testing your IT systems) or whether you also want to test your ‘human firewall’ (i.e. testing your staff). Social engineering and phishing attacks have the potential to be a massive problem to businesses and may be a route by which criminals gain access to your systems. Identification of the level of awareness of your staff regarding security issues should be high on your list of requirements.
Thirdly – be clear about what you require in the final report. The value of a penetration test is measurable by the information that it provides to support you in improving your security. It should include descriptions of discovered weaknesses, an assessment of the risk to the business and provide supporting information on how to fix any vulnerabilities. Provision of a brief summary report in non-technical language may also help ‘management’ to understand the seriousness of any findings and hence recognise the need to allocate resources to fix them.
Finally – make penetration testing a regular event. A penetration test report represents a snapshot of your IT infrastructure at a single point in time. Whilst it is possible to use automated penetration testing tools and internal testing throughout the year, neither of these are likely to find less obvious vulnerabilities that require a degree of creativity to exploit. Regular penetration testing, the frequency of which should be decided as part of a risk assessment, will give you confidence that your business is secure in an age when security is everything.
If you need help carrying out penetration testing on your company’s network and IY systems, please feel free to contact KRYPSYS on 0845 474 3031 or [email protected].