Seven Questions to Ask Any IT Services Firm Before Signing a Penetration Testing Service Agreement

with No Comments

Categories: Security, Uncategorized



 

Although stopping users from accidentally exposing networks and systems is important to cybersecurity, it isn’t enough. Cybercriminals are also attacking their targets — corporate data, networks and systems — directly. Penetration testing is a proven mechanism for reducing the risk of a successful attack.

Penetration testing doesn’t have to be onerous. Today, highly sophisticated, specialized technology can identify system vulnerabilities that might be exploited by cybercriminals or other adversaries.

There are a number of “recommended steps” for best-practices penetration testing and remediation. Not all firms who offer this service perform each one. Before you speak with a representative from any penetration testing service, ask them if their offering includes all these activities.

  1. Perform Reconnaissance — Gather information relevant to the testing goals and identify the attack surface. Confirm what other security systems are in place and determine whether they should be disabled, or the test should include their response to the simulated attack.
  2. Identify Vulnerabilities— Use sophisticated, automated technology to probe the network. The process should identify any vulnerabilities, from remote-code execution activities to server access without proper authentication.
  3. Develop Attack Plan — Create a threat model from the information gathering phase, then devise a plan of attack to ensure the most accurate and thorough results from the testing.
  4. Implement Testing Phase – Actively attempt to penetrate systems within the network by focusing on vulnerabilities that can be exploited to gain access to the target system. Collect more in-depth data across the target network.
  5. Collect and Remove Artifacts — Gather and purge from the system any agents, scripts, planted executable code, and software or files from testing. This clean-up process should return the system configuration to its original, pre-engagement state, with all credentials restored, test accounts deleted, etc.
  6. Report/Debrief — Communicate the results to the client with recommendations for remediation, tiered based on security priorities. At that time, the client can determine which issues the firm wants fixed and which present an acceptable level of risk.
  7. Perform Remediation — Remediate any weaknesses or access holes. If ongoing service has been requested, inject live agents that launch persistent system monitoring and control, even if the system is rebooted, modified, etc., until remediation is complete.

Penetration tests and their associated activities should provide clear, understandable, actionable intelligence to business leaders regarding the security risks on their targeted systems. Even if a firm takes action to close any security holes, penetration testing shouldn’t be a one-time exercise. Protecting your firm from catastrophic cyberattacks is an ongoing activity that should be at the top of your list.

For a no-obligation consultation regarding your level of exposure and how penetration testing could significantly reduce it, call us now at 678-719-9671.