mature penetration test you deserve<\/a> and are paying for:<\/p>\n1. Reconnaissance \u2013<\/h3>\n
In the interest of time, many firms will consider a port sweep reconnaissance and skip over passive forms of reconnaissance. Passive reconnaissance is pertinent to future phases of the assessment and to identify additional risks facing the organization.<\/p>\n
2. Suite of tools used \u2013<\/h3>\n
Mature penetration testing is so much more than simply running your favorite vulnerability scanner. You should identify the specific tool used to identify and exploit each vulnerability. While Metasploit is a great tool and is useful in many circumstances (no need to reinvent the wheel, right?) the list of tools should include more than just NMAP, Metasploit, and Nessus.<\/p>\n
3. Scope precautions \u2013<\/h3>\n
Take the time to properly scope your penetration test and try to prevent limiting tests over systems with sensitive data. The report should clearly outline limitations imposed by the organization or otherwise. If certain tests aren’t performed, you risk leaving vulnerabilities undiscovered. The report should clearly call limitations out so not to provide a false sense of security.<\/p>\n
4. Metrics \u2013<\/h3>\n
In our experience, we have found that management deals in numbers. The ability to tie the results of a penetration test to specific metrics enables the penetration testing team to more effectively communicate with management. Bonus points if the penetration testing team can compare the results to industry peers and provide a comparative metric.<\/p>\n
5. Collaboration and communication \u2013<\/h3>\n
At the end of the day, the penetration testing team is a partner and an ally. They seek to strengthen your organization\u2019s security by identifying exploits before they are exploited by a malicious entity. This is a difficult balance to achieve, but the penetration testing team should work alongside the organization in support of this common goal. This may mean additional meetings, additional deliverables, and transparency between the two teams.<\/p>\n
6. Valuable report format \u2013<\/h3>\n
From time to time, I get to work on a risk assessment or review a penetration test report written by another firm. Sometimes they are great! Other times, they are not. The number of firms that deliver clunky reports shocks me. They are not only difficult to read and understand but also difficult to work with. The report must be usable.<\/p>\n
7. Multiple deliverables \u2013<\/h3>\n
Ensure the deliverable package meets your unique needs. This may mean deliverables are tailored for easy import into Governance, Risk, and Compliance (GRC) tools or additional deliverables are created (within reason). The deliverables package should include all supporting evidence (screenshots, tool outputs, recordings, etc.) from the assessment, time with the penetration testing team to inquire into specific vulnerabilities, and an executive summary explaining the results at a high-level for management teams and Board members.<\/p>\n
8. Narrative \u2013<\/h3>\n
This SHOULD be a no-brainer, but the report must accurately depict the assessment and tests performed with enough detail that a reasonably, well-versed security engineer could re-create the assessments as needed. Anything less is simply a vulnerability scan.<\/p>\n
9. Actionable recommendations \u2013<\/h3>\n
The recommendations created as a result of the penetration test should be direct and actionable and maybe even provide a way to validate remediation efforts internally. Where recommendations may impact business operations, the penetration testing team should be able to provide work around recommendations.<\/p>\n
10. Follow a standard methodology \u2013<\/h3>\n
Mature penetration testing frameworks and methodologies exist for a reason; they work and are repeatable. Like the Scientific Theory or Troubleshooting Theory, there must be a logical sequence of events to follow to identify vulnerabilities. Not following a matured, published framework or methodology is like throwing darts at a wall and seeing where they stick. Organizations can have a proprietary or mesh methodology, so long as they are following a methodology.<\/p>\n
And as a bonus:<\/p>\n
11. Risk ranking model \u2013<\/h3>\n
Risk ratings are hotly debated subjects. Executives and Board Members are more heavily invested in security than in the past. Risk ratings may also drive individual or department performance reviews and budgets. There are many ways to calculate and assign risk levels to vulnerabilities, but we recommend using an objective and repeatable method. This will provide proper forethought into the vulnerability as well as justification for how that risk was concluded. This can be proprietary formula or an open formula such as the Common Vulnerability Scoring System (CVSS) or Open Web Application Security Project (OWASP) risk calculator.<\/p>\n
Final Thoughts on a Mature Penetration Test<\/h2>\n
Budgets are tight and security budgets are even tighter. Board members and management are starting to take security seriously. Don\u2019t waste your hard-fought budget on a sub-par assessment.<\/p>\n\n
\n
\n Wonder what a cyber attacker sees when they target your organization? Wonder no more. Watch a live network attack demo simulated by an industry-leading offensive security expert. In our on-demand webinar, you\u2019ll learn how to uncover vulnerabilities that the average pen test misses. \n <\/div>\n