Maksim Kabakou - Fotolia

Security Think Tank: Clarity of scope is key to getting value from pen testing

How can an organisation ensure they get value from penetration and security testing services?

Penetration testing is a key part of business resilience, but there are steps the business can take to ensure this testing is appropriate and offers real value, both economically and in enhancing our organisational security posture.

When undertaking the procurement and implementation of penetration and security testing, clarity is key. Without it, a business cannot hope to get value from their testing, regardless of any apparent “bargain price tag”.

Scoping is a vital part of this process. A full and proper understanding of what needs testing means a business will be getting a more accurate quote and that all vulnerabilities are discovered/explored.

It might be a new server that requires external and internal testing as new technology can threats. Or it could be a web application. The clue here being the word “web” which will indicate a potential external attack surface. Establishing the scope is key. It supports best practice and ensures the best value from the project.

The Tigerscheme can be of great assistance when it comes to choosing a penetration testing partner and scoping out a project. This scheme is a commercial certification scheme for penetration testers, allowing buyers to choose a tester that has been certified to very high standards.

You may need to ask if the project actually requires a full penetration test, for example, to see how far a network can be penetrated, or if the real need is simply for a vulnerability scan, which will determine where the vulnerabilities lie without exploiting them.

Remediation for the results of a vulnerability scan could feasibly be actioned in-house based on the level of risk identified. Also, is the testing in support of a specific compliance requirement such as ISO27001, PCI-DSS or Cyber Essentials, thus influencing the type and extent of the assessment.

Of course, people or culture may also need security testing, and “red teaming” is a great way to find out how vulnerable an organisation is to social engineering and other physical approaches.

This is important to consider as placing the whole budget behind technical solutions may solve some of the cyber issues, but if a hacker can actually walk in through the front door and enter a server room, then they should not be considered as the only line of defence.

Phishing tests are also growing in popularity and while an IT department will know whether its company is being bombarded by spam, the varying levels of awareness within the organisation of this type of threat and its impact may make it more vulnerable to this kind of attack.

Knowing where these vulnerabilities are can help identify training and awareness needs, and there is a growing move to conduct phishing exercises to assess staff awareness.

To summarise advice for security and penetration testing:

  • Take a risk-based approach to each element to be tested, establish the scope to tight parameters once you are confident about what your precise needs are and do not shift; any alterations will make comparisons among suppliers very difficult.
  • Fix the time period too, so you can make a clear comparison and do not skimp on your due diligence.
  • Check for the right badges, ask for references, and if they meet the scope you have defined and are cheaper than competitors then you can feel more confident about value of service as well as for money.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on IT risk management