It’s no secret that finding a penetration testing company can be a challenge. You want to make sure they have a solid background and the experience of working with a variety of organizations to create an impactful pentest exercise.
If you’re evaluating a penetration testing company, here are the five secrets to identifying a firm that will deliver the most value on your next penetration test.
Pentesting Skill Sets
Penetration testers often have broad technical and soft skills to execute a well-planned penetration test. The penetration tester should possess several years of experience withinl information technology and security administration.
Finding a penetration testing firm with qualified testers can be a challenge. But the best firms will have penetration testers that hold a diverse mix of technical and soft skills.
The top technical penetration skill sets include:
- Operating Systems –Windows, Unix, Linux
- Networking and network protocols – routing and switching, firewalls, IDS/IPS, etc.
- Wireless – encryption, packets, ciphers, mobile wireless networks
- System administration – installing, supporting, and maintaining servers and IT systems
- Security administration – installing, administering, and troubleshooting security solutions
- Password management – understand best practices with password management
- Database systems – SQL, MySQL, NOSQL
- PHP, PERL, Python, Ruby, Batch, Powershell
- Programming and Development
- C, C++, C#, Java, .NET, ASM
- Cryptography – protecting and ciphering sensitive information and data
- Forensics – investigation and analysis of information and systems
The top soft skills for penetration testing providers:
- Communication skills – both verbal and technical writing for reporting to your Leadership
- Curiosity – A natural inquisitiveness to pick things apart and identify weaknesses
- Creativity – thinks like a hacker and develops scenarios to penetrate your network
- Persistence – determined to find all open vulnerabilities within an environment
- Problem-Solvers – knows how to provide recommendations to address vulnerabilities
- Analytical – takes calculated measures to understand how to avoid detection
- Research Oriented – gathers Open Source Intelligence (OSINT) from a variety of sources
- Social Engineering – understands how to manipulate and use people to their advantage
Penetration testing requires a unique set of skills. Be leery of any penetration testing company or consultant that recently became certified. Ask to see their testers’ CV/resume during the discovery phase to understand their background and how it encompasses the skills mentioned above.
The top pentest companies invest in their staff's knowledge and expertise through certifications. A penetration testing certification will help you quickly assess the credibility of the pentesters knowledge and depth of expertise.
The top certifications for penetration testing include:
- EC-Council Certified Ethical Hacker (CEH) – one of the most popular pentesting courses
- GIAC Penetration Tester (GPEN)
- Certified Expert Penetration Tester (CEPT)
- Offensive Security Certified Professional (OCSP)
Some essentials in security certifications:
- Certified Information Systems Security Professional (CISSP)
- GIAC Security Essentials Certification (GSEC)
- Certified Information Security Manager (CISM)
Make sure that the certifications are current and held for over 12 months. You don’t want someone just getting started in penetration testing that may lack the skills and knowledge necessary to perform a thorough and methodical pentest.
Penetration Testing Tools
A pentester’s toolbelt is full of the latest tools to find exploits in your network, applications, and data. When searching for a penetration testing company, validate that their testers use a variety of pentesting tools.
A provider should have most or all of these pentest tools in their wheelhouse:
Metasploit – a first-choice and package of pentesting tools commonly used by ethical hackers
Wireshark – most commonly used network protocol analyzer
Nmap – an open source platform for network discovery
Wireshark – a network analysis and packet capturing tool
Kali Linux – an open source project for packet sniffing and injection
BlockBit – a preferred vulnerability scanner here at CIPHER
OWASP Zap – a suite of security testing tools
W3AF – a web application attack and audit framework
Netsparker – a web application security scanner
John the Ripper – an open source password cracker
Maltego – a robust digital forensics and data mining tool
Aircrack – a tool used for wireless connection cracking
Each penetration testing tool offers the ethical hacker a different way to creatively identify vulnerabilities. Bottom line, the pentest should be a thorough and methodical attempt to exploit ANY known vulnerabilities in your network.
A penetration testing company will ultimately deliver reporting and recommendations after the exploit and recommendation phase is completed. Reporting from a pentest should show you how vulnerabilities were discovered and provide you with recommendations on how to remediate the issues.
At a minimum, your penetration test reporting should include:
An Executive Summary – a business-focused, high-level overview of what was found and the goals of the pentest
Attack Narrative – a thorough and technical review of how the attack or exploits were executed
Recommendations – exactly how to remediate the issues within your environment
Overall Risk Rating –a benchmark score of your security risk which is helpful for benchmarking
Appendix – showcases the risk rating scale, vulnerabilities explanation, and visuals gathered throughout the phases of the pentest
Pro Tip: Ask for a sanitized report so you can see the breadth of coverage from the penetration testing company.
The Penetration Testing Company
Any respectable penetration company should have a thorough and methodical approach to their pentesting practices. After meeting with the company, you should be able to trust their process based on how it is explained, evidenced within the sanitized report, and the interviews with the key stakeholders performing the pentests.
Your chosen pentest company or professionals should be passionate about helping clients use this exercise as an opportunity to fix major security issues before it affects your company’s reputation, shareholder value, or customer loyalty. And, the pentesting team should be able to effectively communicate the financial impact of vulnerabilities to the business. The last thing you want is to invest in a pentest and not have the report communicated properly or not have the vulnerabilities addressed immediately.
Companies that support security detection, defense, and incident response are also in a much better position to support your long-term security initiatives. These experts participate in regular “Blue Team” and “Red Team” exercises, working alongside a variety of client verticals and organizational sizes.
Reputation and credibility are everything in security. If your penetration testing company doesn’t have the skill sets, certifications, and tools to support your security testing, then it’s probably not a good fit.