Is Your Security Program Up For Penetration Testing?

Penetration testing is an exam that cyber security experts tout for finding out the true strengths and weaknesses of an organizations personal and technology defense.

However, if your organization doesn’t have a mature security program pen testing is a waste of time and money. This is one of the dozens of advises to CIO’s, CISO’s and purchasing officers that could be handy.

If you have a very immature security program and you know it – which most clients do – then that’s a very clear indication you should probably put your money into the building blocks that make you secure rather than a shot in the dark, and You already know your network is insecure because you haven’t put any effort into it.

Hiring a consultant to do a pen test “because it’s a popular thing….. you’re just not going to get that much value,” also, a rather honest security consulting firm should advise not investing in a pen test if the organization doesn’t have a threat model and understand the threats it regularly faces. That leads to disagreements on whether a particular test is relevant to the company. If you don’t know what matters to you from a security perspective how are you making decisions to invest in security?

People jump to the gun on scoping the pen test based on – You got Web apps? Do you want phishing? How many IPs do you have? What kind of apps were you testing? – But the questions should be what are the types of attacks that are relevant to your business. That will lead to which applications to test, which subnets, which users if social engineering is being used.

The biggest mistake organizations make when looking for a pen testing service is “buying based on factors that aren’t necessarily related to value – buying based on brand, size, or other things that in our industry don’t directly deal with buying from an expert”. It’s easy to buy from a large IT or Security firm, but that comes at a cost. Without really scrutinizing and trying to understand the marketplace its easy to make bad decisions. Similarly, the advise is not hiring a pen testing firm if you don’t have a threat model.

Look for experts that will try to solve the particular problems the organization has. Ultimately when you’re buying security consultancies what matters is the people that are going to be on your project, which is as important if not more than the name on front of the page.

Regardless of the size (of the contracting firm), know who is going to do the project and vetting that individual is going to get you the biggest value for money. And don’t forget to check the consultant’s references, It’s bothersome that few companies do.

Ideally the consultant will offer three reference customers that are in a similar industry with a similar testing project. “With the weeks and hours that you spend in the procurement process, the referral activity probably takes you two hours of your life at most and it’s the most valuable two hours you can spend.”

And don’t worry, most CIOs when talking one on one are “wildly open”.

Ask what went well, what went poorly, did they stay on budget, manage expectations well, did they communicate well, did the deliverables meet expectations, how much value did you get, would you spend that amount again.

Most organizations wrongly believe a pen test is a pass/fail exercise, they said – and worry that a “fail” could damage a regulatory compliance audit. The problem is the organization doesn’t have a risk management program or an understanding of risk in general for security, so any “fail” in the report can lead to argument because the organization sees it as a sign of weakness. “In reality everyone has information security risk today, it just depends on how you’re managing it.”

The consultant has to make clear there will be vulnerabilities found. “Pen testers don’t always frame vulnerabilities properly, sometimes we put high on this and make it seem like it’s the end of the world, but in the context of their business it’s not really that important.”

In the end your conclusion or answer on the question to rather hire a Security or IT consultancy firm should be, “Are we ready for PenTesting?”, “Do we have an Risk Management Program e.g. ISMS or BCMS, in place?” and “Do the results infect our daily business?”, Yes, then it makes sense to do, when ‘No’, then don’t spend your money, but use it to get a Management System in place like ISO27001 or ISO22301.

So if you are a Telecom Operator or IT Provider that needs to operate in a critical environment where Information Security is a must have in all departments of your organization, then let the certified people at SEVOCOMM – consult, integrate and/or pre-audit you.

Read more on the standard for Penetration Testing here