January 13, 2020

5 best practices for choosing the right penetration testing provider

With the risk of a cyber breach and subsequent GDPR infringement higher than ever before, organisations are increasingly looking toward penetration testing to understand and rectify their IT infrastructure vulnerabilities before an attack can take place.

Here are 5 essential considerations when choosing a penetration testing provider to work with:

1. Determine what type of testing you require

All penetration testing involves a form of digital attack simulation and the type of test performed often depends on what you wish to achieve. For example:

  • Are you looking to identify vulnerabilities in a specific software application?
  • Are you looking to simulate specific scenarios such as a lost mobile device, unauthorised device infrastructure connections or a potential scenario that would be unique to your organisation?
  • Do you need to check the response capability and awareness of your organisation against cyber threat to enhance your incident response procedure?

While a good penetration testing provider will advise you on the most appropriate form of penetration testing, specific to your requirements, there are five forms to consider:

Black Box Testing: Testers are only given basic information, such as the target business. This is the most realistic method of penetration testing. However, it will take the longest time to complete a comprehensive assessment as very limited information is provided to testers.

White Box Testing: This relies on full communication between the tester and relevant personnel, including security teams and software developers. This ensures clients get maximum value out of an assessment and time to be utilised efficiently.

Double Blind Testing: With this form of testing, security personnel and internal teams are given no prior knowledge of the impending simulated cyber breach attempt. This means they are given no time to bolster digital defences, thus matching a real-world scenario.

Grey Box Testing: Combining both white box and black box penetration testing, grey box testing gives attack simulators partial knowledge of your infrastructure. This allows testers to focus on target areas and identify even the most hidden infrastructure vulnerabilities.

Time Box Testing: Testers must expose any vulnerabilities within your network under time restraints. This is designed to help you understand your first line of defence and how exploitable you are from a hacker’s perspective.

2. Find out how your data will be secured

Regardless of the form of testing your organisation chooses, penetration testers have access to a range of confidential data. Be sure that your chosen provider can demonstrate their own personal commitments to data security. Is your penetration testing information fully deleted after project completion? What is the organisation’s protocol for hiring penetration testers?

It pays dividends to specifically enquire about data handling and data protection protocol. For instance, does the business have a good reputation with a proven track record for security and accreditations? By their very nature, penetration testers are skilled in accessing your confidential data. But they also need to demonstrate they will handle and store this data securely - before, during and after a test is carried out.

Entrusting a third party with critical infrastructure and data means you should look for clarification on:

  • Data transmitting
  • Data storage
  • Data erasing
  • Record destruction procedure
  • Third party infrastructure security.

3. Look for evidence of expertise and credentials

By looking in depth at the credibility and service reputation of a penetration testing provider you can ensure that the risk of leaving infrastructure weaknesses unidentified is minimised. While many providers highlight your vulnerabilities through reporting only, identify the organisations that assist you in resolving any security weaknesses found through testing.

Accreditations to look for include:

CREST: The Council of Registered Ethical Security Testers ensures consistent methodology and output across a range of providers. Increasingly this is becoming a mandatory requirement in bidding for public sector contracts and many private sector organisations.

ISO 27001: Awarded by the International Standards Organisation. Holders of ISO 27001 must adhere to strict auditing on information security. The accreditation is designed to reassure potential customers on sound procedures in the handling of confidential data.

CHECK: The industry-recognised scheme from the National Cyber Security Centre verifies penetration testing providers’ experience, quality of work and reporting standards. Organisations get complete confidence that the CHECK methodology is being consistently followed during every engagement.

IASME Gold: This standard provides an independent on-site audit of the level of information security provided by an organisation. IASME is one of five companies appointed as accreditation bodies for assessing and certifying against the government-backed Cyber Essentials Scheme.

4. Clarify their process

It’s important to know exactly how the penetration test will be performed to not only know how your organisation might be impacted during the process, but also to make sure the provider follows industry-recognised penetration testing methods.

The steps they will take, the tools they will use and how the exploits will be assessed are all things to bear in mind. Furthermore, the size of the team is an important consideration to ensure your needs can be realistically met. Also try to gauge whether the provider has the capability to grow with the needs of your organisation, particularly if you are looking for a potential long-term security services partner.

Asking about the experience of the individual team members you will be working with can also give you a better indication of their level of expertise. Less specifically, ask whether they have any feedback or testimonials from previous penetration testing clients they can share with you.

A lot of the information is likely to be confidential, but providers should be able to supply anonymised recommendations on request. It's also important to be confident that the provider’s skills and tools are continuously assessed and kept up to date, since keeping watch on ever-evolving threats and technological advancements plays a big part in preventing security breaches.

5. Get a sample report

Requesting a sample penetration testing report is the ideal way to find out the level of service you will receive.

What you are looking for is a comprehensive, yet straightforward report that not only outlines the vulnerabilities identified by the security consultants, but also actionable points.

A good penetration testing provider will also include risk prioritisation, meaning you will know which vulnerabilities should be actioned as a matter of urgency, as well as recommendations and practical guidance on resolving any security weaknesses. The ideal provider will also work with you through to the remediation phase of the project, rather than just delivering a one-off service, which ensures you will get a value-for-money and worthwhile partnership that is invaluable to safeguarding the security of your organisation.

CCL Solutions Group’s Penetration Testing Services

Hundreds of businesses are turning to CCL Solutions Group’s CHECK-accredited Penetration Testing Services to secure their operations when upgrading infrastructure, launching new applications, conducting M&A activity or meeting regulatory requirements.

Led by former National Crime Agency executives, CCL’s CREST-registered penetration testers conduct all external testing engagements from within a rigorously controlled environment in accordance with ISO 27001.

We're here to help

Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.

Get in touch