Picking a Penetration Tester: Who to Trust and What to Expect

News, Security

The cyberthreats we must shield our businesses from today are not the same as those last year, last month, or even last week.

The breakneck speed of cyberthreat evolution places significant strain on organisations and, in many cases, forces regular strategic intervention to maintain critical security posture. This intervention is necessary and often takes the form of penetration testing.

Penetration testing is an excellent way to determine defence strength and pinpoint emerging weak spots in relation to the latest threats. It’s minimally disruptive and provides invaluable insight. But whom you choose as a pen tester could mean the difference between peace of mind and a whole host of new problems.

If you’re considering hiring a penetration tester, read our guide on what to expect and whom to trust with your IT infrastructure.

What is a penetration tester, and how do they help businesses?

A penetration tester, also known as a “pen tester”, is a security professional hired by businesses to evaluate the security of their IT infrastructure. Their scope includes internal and external flaws, loopholes and open targets that can be exploited by threat actors and the malicious software they deploy.

The main goal of a penetration tester is to identify vulnerabilities that attackers could exploit to gain unauthorised access to the system, steal sensitive information or data, or cause damage to the business in other ways, such as forcing unplanned downtime or holding its digital environment to ransom.

As a result, they are invaluable in helping businesses identify and address vulnerabilities before attackers can exploit them. When combined with monitoring, detection and response technologies in particular, this threat and risk mitigation step is vital to improving overall security posture and keeping pace with cyberthreat vectors as they evolve.

 

What activity can you expect from a penetration tester?

Penetration testers typically use various techniques to simulate real-world attacks and attempt to penetrate defences. These techniques may include social engineering, network scanning, vulnerability scanning, and exploit development. Pen testers may also use automated tools to assist in the testing process.

Once a penetration tester has identified vulnerabilities, they provide a detailed report outlining their findings, which will be clearly risk scored and accompanied by potential impact detail and recommendations for remediation. Organisations can then use their pen testing report to prioritise addressing vulnerabilities.

 

What are the benefits of using a penetration tester?

Preventing external cyberattacks and insider threats from materialising in the first instance will save your business from significant losses in time, money and stress. Using a penetration tester – a vital preventative cybersecurity measure – has several benefits.

Identifying vulnerabilities

Penetration testers use techniques to root out weaknesses hiding within your IT infrastructure. Because they intentionally put your environment under sustained and intense stress, they are likelier to uncover vulnerabilities that remain obscured during day-to-day use.

Simulating real-world behaviours

Penetration testers simulate real-world attacks and techniques that hackers may use to penetrate the system. By imitating how a threat actor thinks and acts, pen testers can more accurately assess the effectiveness of security measures.

Assigning risk levels

Security risks are vast and nebulous. A penetration tester can bring clarity to security strategies and resource deployment by assigning risk scores to specific vulnerabilities.

Maintaining compliance

Penetration testing may be required by industry regulations and standards, such as PCI DSS and ISO 27001. By using a penetration tester, businesses can generate proof that they are meeting requirements, taking their obligations seriously, and remediating areas of non-compliance before external audits.

Cost efficiency

The amount lost to a successful cyberattack will almost always dwarf that spent on defensive cybersecurity. As a core prevention element, the fees associated with pen testers promise an excellent return on investment and inform security specifications (such as mitigating over-specification).

 

Are there limitations to what a penetration tester can do?

Depending on the permitted scope, a penetration tester can test the resiliency of an organisation’s entire security stack. This should include critical operations, data security, application security, endpoint security, network security, perimeter security and training.

However, certain third-party access privileges or compliance requirements may limit the extent of the independent pen tester’s work. Therefore, it would help if you undertook robust due diligence before handing the keys to the kingdom.

Any compromise at this stage could result in a questionable individual (either in skill or ethics) accessing mission-critical infrastructure and potentially causing accidental or intentional harm.

 

How do businesses hire a trusted penetration tester?

As mentioned above, the consequences of using an ineffective penetration tester can be dire. One making an error that impacts systems availability or steers you toward inappropriate remedial action could leave you worse off after a pen test. Although that’s not a regular occurrence, it’s one to be aware of.

As such, organisations must hire only white hat penetration testers. You can find these specialists in one of three places: large consultancies, speciality security providers like MSSPs, or highly-regarded independents. These organisations are your best bet for finding a trustworthy pen tester capable of hunting down flaws and frailties that can be exploited.

 

How do you identify a credible pen tester?

Identifying a credible and effective penetration tester is no mean feat – partly because there are many factors to consider. However, if the pen tester you’re considering has the following characteristics, you’re likely looking at a genuine expert you can trust.

  • Certifications: Look for a penetration tester who has industry certifications such as Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), or Global Information Assurance Certification (GIAC), in addition to CREST, ISO9001, ISO 27001 and ISO22301.
  • Reputation: Pen testers sell themselves on references and reputation, so your shortlist should readily provide details about similar projects and glowing customer testimonials.
  • Ubiquity: Finding a credible pen tester online will be easy. They’ll likely have an active blog, feature on webinars and podcasts, and speak openly about what they do.
  • Experience: Penetration testing isn’t the time to take a chance on someone. Only work with professionals with long-time experience, ideally with your sector and similar IT architecture. Accept no compromises.
  • Skilfulness: A credible pen tester won’t be holed up in a back room. They’ll be excellent communicators, capable of explaining technical concepts and persuading stakeholders, and will have strong – often innovative – technical skills.
  • Ethics: Your pen tester should always agree to a brief – known as the limit of exploitation – before going anywhere near your IT infrastructure. They’ll provide their scope in writing and treat it as gospel. As the client, expect to be heavily involved in this process.

With the cyberthreat landscape expanding and maturing, organisations can’t make it easy for threat actors. To outpace cyberthreats, you need to play criminals at their own game – and this means understanding exactly how they operate and shoring up your digital defences in step with evolving tactics. A penetration test is an ideal way to begin the process.

Sentis Managed Solutions can help protect your data, IT infrastructure and users with certified, expert penetration testing solutions. Click here to read more.