Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

So You Want to Hire a Penetration Tester?: 10 Tips for Success


Published on

Whether due to compliance needs, best practices, or customer demand, penetration testing is an increasing requirement for many organizations. The process of hiring and working with an Ethical Hacking (EH) services company is much like every other IT contracting process at first glance, but has a number of important details to consider from company selection through post-penetration remediation.

Come learn from a penetration tester the types of information that will allow your organization to have the best experience possible when going through the sometimes agonizing, always interesting, process of a penetration test. Most importantly, questions will be highly encouraged so that your concerns and thoughts can be addressed during this presentation.

Published in: Technology
  • Be the first to comment

So You Want to Hire a Penetration Tester?: 10 Tips for Success

  1. 1. So You Want to Hire aPenetration Tester?10 Tips for SuccessMark
  2. 2. MEPerforming ethical hacking services for MSSP:External/internal penetration testingExternal/internal vulnerability assessmentWeb application security reviewCode auditingSecurity architecture reviewCertified: CISSP, Security+, Linux+, CCSKPublic web application vulnerability research
  3. 3. #1: Credentials & Reputation MatterHiring someone to break into your systems andapplications can lead to very bad things if they are notknowledgable enough to handle the responsibilityDon’t just hire the lowest rate if at all possibleAutomation of penetration testing is extremelycommon and can lead to data corruption, Denial ofService (DoS), and unexpected downtimeAsk potential consultants what their IT experience is,what security certifications they hold, their approachto penetration testing, and to review a sample report
  4. 4. #2: Understand What You WantEthical Hacking (EH) services are very broad anddifferent services encompass different depths andtypes of testingDiscuss with your PCI-QSA or other complianceperson which EH service will satisfy a given portionof the regulation or standard your org adheres toAsking for “Security Testing” will not help you...If you only need a vulnerability scan, don’t pay for apenetration test -- these services cost a lot of money
  5. 5. #3: Know Why You Need ItA professional security services company should carewhy you are doing what you are asking to doBe able to explain what you are trying to accomplishso that consultants are able to recommend ways todecrease potential headaches/cost overheadA few typical reasons to have EH services are:Compliance/regulation requirementA customer demands that you do itProactive security (this doesn’t happen a lot, sadly)
  6. 6. #4: Be Prepared For QuestionsSuccessful EH services involve a lot of customerinteraction, especially when doing a penetration testCommon questions to be prepared to answer are:Do you have any timeline required for completion?How many offices and data centers are in scope?Are you interested in physical penetration testing?Are you interested in social engineering?Do you have preferred testing time-periods/days?Are any systems delicate and/or out-of-scope?
  7. 7. #5: Communicate To Your TeamsUnless specific reasons exist, be sure to loop-in thefollowing groups/people so that everyone importantis on the same page:Team leads across your organization who will bedirectly impacted, including IT and security opsAny service providers who will be involved directlysuch as ISPs, data centers, or cloud providersSenior-level stakeholders to ensure that penetrationtesting will not interfere with any organizationprojects that fall along the same timeline
  8. 8. #6: Don’t “Fix Stuff ” During TestingEnsure your developers and system administratorsare aware of a “don’t touch things” policy during apenetration test (unless it actually breaks...)Changing web applications or systems during testingwill lead to the penetration tester spending inordinateamounts of time trying to figure out why somethingthat did work, no longer worksThis wastes their testing-time and your moneyFixing issues during an assessment is tempting so thatyou don’t get blamed for a finding; this is myopic
  9. 9. #7: Don’t Try to Hide ProblemsPenetration testing (and all other EH services) aremeant to expose what you don’t want exposedStakeholders should want to hear all results, nomatter how meaningless to their individual concernsthey may be; future auditing may require it!Ensure that you don’t make a large list (or any list, ifat all possible) of systems or applications that are“out of scope” -- this doesn’t mesh with reality ofattacksYour organization is paying good money to be toldwhat needs help; use this for budgeting to fix issues
  10. 10. #8: Trust But VerifyAll testing results should have proof of concept (PoC)examples and/or explicit details on the issue foundThere should be a narrative for all compromises:What systems were compromised and howWhat files were created during the compromiseHow did the process get from A to Z (details count)Screenshots for various vulnerabilities or compromisesshould be included by your consultant in the report...but some issues just aren’t photogenic...
  11. 11. #9: Challenge Your ConsultantIf you purchased a penetration test, don’t accept avulnerability scan as a set of resultsMake the consultant explain what they did test andwhy they believe nothing was exploitableYour consultant should be able to make sensiblerecommendations for most identified issues, whetheror not they directly led to a compromiseIf you’re unsure of why a finding was put on thereport, make the consultant explain why they felt itwas important to be added
  12. 12. #10: Respect Our Ethical Duty“Can you please remove these [valid] results so wecan show our (client|boss|agency|QSA)?”No“Would you alter the results so they are less scary?”No“If we fix these, can you delete them off the report?”No“Can you update the report to reflect a fixed issue?”Yes
  13. 13. What Leads to a Compromise?Manual Testing85%Automated Testing15%Skill85%Luck15%Here’s the make sure you hire a professional.
  14. 14. Supporting Examples of TipsDon’t limit scope if at all possibleFound web application via Google during testingSQL injection vulnerability foundCreated web-shell, allowed for code compilationLocal kernel vulnerability exists, exploited for rootAutomated tools can’t do it allFound 0-day vulnerability on in-development blogExploited issue for SQL access, stole password hashesCracked password hashes, retrieved multiple accountsLogged into Intranet, full access to CEO e-mail
  15. 15. Parting Thoughts...Assumption of security is a dangerous way to liveIntelligent, well-seasoned developers and systemadministrators make mistakes, tooUse assessment services to get what your team needsShow your organization the realities of not doingmore (whether people or software)Having web applications tested thoroughly beforethey are put on the Internet is a great use of moneyDon’t wait until your company’s data is on Pastebin :)
  16. 16. Thank You! Questions?