Many businesses nowadays regularly commission penetration testing services from specialist firms or consultants. This is seen as just one part of an organisation’s overall information security framework, which includes computer and network security. “Pen testing”, as it is also called, involves a systematic attempt to breach the defences of a firm’s computers and networks, or to compromise Internet-facing software applications hosted on a firm’s servers. The security vulnerabilities thus discovered are highlighted in a report, and corrective actions are recommended.
Because penetration testing services have the potential to damage the firm’s systems and networks, or to disrupt normal business operations, it is important to know what to look for in a “pen testing” provider. Not all computer security tests are the same, and commissioning the wrong kind of test will achieve very little. You should satisfy yourself that the penetration testing services being offered are precisely those needed for the particular computing environment of your organisation. Some points to bear in mind are the following:
· What aspect do you want to test? The pen testing procedure can be carried out as if a malicious hacker were attacking your systems from the outside, or it could be performed with some “inside” knowledge, as if the defences had been breached or an insider were attacking the systems.
· How much are you willing to risk disruption of business operations? A pen test can culminate in an “exploit” of a harmless kind, such as displaying a piece of text. On the other hand, there may be unexpected problems, and possibly a disruption to the firm’s computers and networks. At the very least, there might be some slowing of the system. The safest option is to specify that the penetration testing services should only scan and probe for weaknesses, rather than actively exploiting those weaknesses in order to demonstrate them.
· Do you trust the penetration tester? You need to ensure that anyone who is given access to your system is completely trustworthy. This includes factors such as: without a criminal record, without a history of illegal hacking, and having demonstrated the highest standards of integrity in business life.
· What is the deliverable? The penetration testing services should result in a report of some kind, possibly introduced by an oral presentation. You need to decide whether the report should contain full technical details alongside the non-technical summary.
A business that is planning to commission a penetration test from external information security consultants should ensure that a specific staff member is given the task of liaising with the testing services provider. This “single point of contact” will help to ensure that all the preliminary planning, such as the above questions, is covered in full. Most of all, however, it is important to formulate in advance the answers to questions such as these, so that the work can be completed faster and hence more cheaply. This will help to ensure that penetration testing services do not become a neglected afterthought in your information security framework, but retain their rightful place as an essential component of the overall IT security function.