Penetration testing involves letting an ethical hacker assess your network or application for security flaws. Understandably, this may give many pause, as it involves giving elevated levels of access to an effective stranger and potentially access to very sensitive data. Penetration testing is necessary for many types of regulatory compliance and is one of the best ways to determine if you are safe from attack. Before starting down the path of getting a penetration test done, it can be good to understand the guardrails in place to keep you and your organization safe.
How Are You Protected During A Penetration Test?
Penetration testers are highly skilled ethical hackers who try to understand what a malicious hacker would do. The thought process is that if a good guy hacks you first, they can show you how to block the attacks before someone with ill intent does the same. Ethical hackers stay up-to-date with the latest attack trends and techniques to match or surpass the levels of their unethical counterparts. To ensure that they are clearly marking the distinction between themselves and malicious criminals, there are many steps involved in the penetration testing process to protect both parties.
Before any testing is done, numerous documents must be prepared that outline some key assumptions for the test. One of the most important ones of these is a mutual NDA where both parties agree to not discuss any sensitive information about the other party with anyone. From the perspective of the penetration tester, this means that they will not share any information about their client’s network, application, source code, other intellectual property, or even the fact that they worked together unless that is deemed acceptable by both parties. The same goes for the client, who agrees not to disclose any proprietary techniques or tools used by the penetration testers.
Another key document that will be filled out before the testing can begin is the rules of engagement, or ROE. This defines exactly what the penetration tester can and can’t do during the test. Part of this will be the scoping which states the target systems that should be tested. As part of this, it also shows what should be left out of scope. Certain systems may be operationally sensitive and could be harmed by a penetration test. These systems should be marked as such and avoided by the tester.
The ROE will also contain information about what should be done by both parties if something goes wrong. There will be points of contact in the document for any questions or concerns and a description of the process that should be followed in the event of a problem. An example of this would be the process that should be followed by the tester if a previous breach is discovered and it is assumed that a malicious actor resides in the network. Having a clear understanding of the following steps smooths out the process for both parties.
How Are Penetration Testers Vetted?
Before getting a penetration test done, it can be very important to make sure that the testers and organization know what they are doing. This is to make sure that the organization will be handling any of your sensitive information safely, and that the penetration tester is skilled enough to identify any vulnerabilities that may be present and guide your team on remediation. The tester should also be able to identify areas or attacks that may potentially be disruptive, and know how to avoid them.
Industry certifications are a great way to gauge the experience level of a penetration tester. Many generalized and specialized certifications show the skill level of an ethical hacker in a certain area. It can be worth developing an understanding of some of the most prevalent certifications in the industry and knowing which certifications specifically will be most applicable to your project at hand. Most penetration testing companies will be happy to provide a list of their testers’ certifications.
While a lot of the responsibility is on the penetration tester, there are a few things that customers can do to ensure their safety. Many attacks can cause modification or loss of data, denial of service, and potentially disrupt user functionality in other ways. To circumvent these problems, contingency plans should be in place for what happens in the event of a dangerous situation. Companies should also use development environments that are close to perfect replicas of the live environment to reduce the impact of these problems. If it is not possible to use a development environment, this should be communicated to the tester to ensure that they take a careful approach to their testing.