A penetration test is one of the best cybersecurity practices an organization can adopt, but with several methods and certifications available, you need to ask your penetration test provider the right questions. Understanding why it’s a critical practice, how to best prepare for it, and what actionable reports you’ll receive at the end will ensure your test will meet your business’ security goals and requirements.
What is a penetration test and why do I need to do it?
Penetration testing, or pen testing for short, is a simulated attack on your system to find, expose and validate vulnerabilities and weaknesses. It’s performed by a skilled tester who’ll breach the security of your system, network, applications, and website as if they were a malicious hacker.
Pen testing is usually conducted annually as new technologies and platforms evolve. It was previously voluntary and performed as a part of an overall cybersecurity review, but it’s becoming increasingly necessary for various compliance standards and included in more guidelines for data security.
By way of example, the Guidelines for EU Data Protection Board (EDPB) 2021 and the Guidelines for Information Commissioner’s Office (ICO) stress the importance of regular penetration testing to meet GDPR requirements and ensure effective existing security measures. There is an extension of this line of thinking in the United States where penetration testing is becoming mandatory by various bodies due to the absence of effective regulations regarding personal data. Furthermore, following the SolarWinds breach, companies are requesting not just ISO 27001 and SOC 2 audits, but also penetration tests done by their suppliers.
Beyond compliance, pentesting helps businesses assess the implementation of their security controls and tools. Studies find that 90% of cyberattacks are caused by human error, as misconfiguration and compromised information can be undetected at all levels.
Benefits of Penetration Testing
| BENEFITS | WHAT THIS MEANS |
|---|---|
| Reveals vulnerabilities | Explores weaknesses in your system, applications, and network with user behavior and habits reviewed as well. |
| Shows real-world risks | Exploits the vulnerabilities as an attacker would, such as using sensitive data to manipulate the operating system. It also highlights a real risk as some theoretical high risks are, in fact, too risky and challenging for a skilled hacker to be successful. |
| Tests cyber defenses | Detects attacks, threats, and intruders and how well your system responds to them. |
| Ensures business continuity | It helps ensure that even during a cyberattack, availability and access to resources remain, so customers or employees experience no downtime. |
| Provides an independent opinion | Having a third-party opinion can often help management sit up and take notice, giving way to development changes and extra investment for security. |
| Follows regulations | Some regulations, like ISO 27001 and PCI, require penetration testing and security reviews by skilled testers. |
| Maintains trust | Keeping your organization aligned with high security reassures stakeholders, customers, and employees. |
Questions to ask your Pen Test provider
As with most things, not all pen test providers are equal. It’s important to ask questions to qualify how well they suit your business’ needs and how they’ll work towards achieving your security goals.
Whether it’s an in-house resource who is highly skilled and can act impartially, or a third-party provider, clarity on their certifications is the first step.
Penetration Testing Certifications
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) Certification
The GXPN certification shows a great all-round and in-depth skill set to manage security threats and vulnerabilities. The exam and training are rigorous, with advanced tests on various control systems and frameworks, including the Sulley framework, Linux, and Windows. A provider with this certification will be able to assess and meet the specific requirements of a business.
- Certified Ethical Hacker (CEH) Certification
The CEH certification, as the name suggests, is all about ethical hacking. Training for this provides different hacking practices, including Trojans, cryptography, scanning networks, penetration testing, and hacking web servers. Uniquely, this certification requires continuous training to keep up with evolving hacking techniques.
- GIAC Web Application Penetration Tester (GWAPT) Certification
This certification specializes in web application vulnerabilities meaning providers with this badge will be true experts in finding web application holes. Web app holes are commonly found in customer pages where sensitive data, like credit card details and personal identifying information is exchanged.
- GIAC Penetration Tester (GPEN) Certification
The GPEN certification is an important all-rounder specific to penetration testing. The training includes handling legal issues relating to pen testing and covers technical and non-technical skills.
- Offensive Security Certified Professional (OSCP) Certification
A professional with an OSCP certification will be able to offer more comprehensive security. Training teaches the life cycle of penetration testing and counts as an ethical hacking credential by The Offensive Security Organization. The 24-hour exam looks at real-world scenarios equipping professionals to perform controlled attacks and compromise vulnerable PHP scripts while also identifying high-risk areas.
- Certified Information Systems Auditor (CISA) Certification
For organizations wanting an all-around, in-house individual, this certification ensures auditing, security, and control skills, which are undeniably valuable to have at your disposal. A minimum of five years’ work experience in information systems security or auditing is required to hold this certificate. Continuous upskilling and training to stay relevant to new methods and technologies are required.
- Licensed Penetration Tester (LPT) Certification
The IT industry sets those with the LPT certification apart as great penetration testers. An 18-hour master exam tests abilities and mental strength under a significant amount of pressure, with multilayered network architecture testing three levels of skills using different tools and techniques on networks and applications. This is the best of the best.
- PenTest+ Certification
Professionals with the PenTest+ certification can perform vulnerability management, penetration tests, and management skills to plan and keep weaknesses at bay.
Penetration Testing Methodologies
There are various standards and methodologies for penetration testing, some of which are regulatory requirements in specific industries.
Asking what standards and frameworks your provider will use will provide a good indication of how they align with your needs.
Here are the five most commonly used frameworks:
- Open Source Security Testing Methodology Manual (OSSTMM)
- Open Web Application Security Project (OWASP)
- The National Institute of Standards and Technology (NIST)
- Penetration Testing Execution Standard (PTES)
- Information System Security Assessment Framework (ISSAF)
Before Pen Testing starts
So, you know what certifications and skill set your provider has and what framework they’ll be following, but there are still a few vital questions to ask before testing gets started.
Before:
- What do you need from my organization before pentesting starts?
- Will your tests impact our usual operations?
- What does your internal security cover?
During:
- How will you protect data during testing?
- What areas does your penetration test cover? (Website, E-Commerce Websites, mobile, network, apps, all of the above?)
- What are the phases of your penetration testing method?
After:
- What will your pen test report cover?
- How will you protect data after testing?
- How often should my business perform penetration testing?
Our efficient and cost-effective service includes:
- A dedicated ENHALO expert provides information to manage and reduce the risk of vulnerabilities exposed.
- A traffic light report of the security vulnerabilities discovered within your organization.
- A report outlining the maturity of your organization and benchmarking against similar industries.
- The ability to show trends around security vulnerabilities and provide senior executives with visibility to your organization’s cybersecurity posture improvements.
