Penetration testing is a crucial defense mechanism against cyber threats, providingorganizations with a realistic assessment of their environment’s security andvulnerabilities. There are many things to keep in mind when navigating a penetrationtest and specific challenges that come along with it, such as determining the type ofpenetration test that applies to your business and navigating regulatory requirements.This begs the question: what should you look for in a penetration testing provider toensure you get the protection you need? Read below to uncover common penetrationtest challenges and the key factors that separate the best providers from the rest.Why Your Organization Needs Penetration TestingPenetration testing, often called "pen testing," is a simulated cyberattack against yourcomputer systems to check for exploitable vulnerabilities. Cybersecurity professionalstrained as ethical hackers will attempt to breach an organization’s systems, networks,cloud, and applications to identify vulnerabilities, as defined by the MITRE ATT&CKframework. These tests uncover hidden vulnerabilities that companies can remediatebefore malicious attacks occur. It is recommended, and often required, thatorganizations conduct a penetration test annually. Penetration tests are often seen asan exercise to satisfy compliance criteria, but when performed correctly, they arecritical to mitigate risk within an organization.
Best Practices to Avoid Common Mistakes
1) Determine the Right Type for your BusinessKnowing what a penetration test is and which kind(s) fit your company is key forimproving your security posture. There are different types of penetration tests,including network, application, and cloud, and what you need will depend on your ITinfrastructure. A qualified penetration tester should go to great lengths tounderstand your business and infrastructure to properly scope the appropriate typeor combination thereof. They should ask you for details about your network size,assets, number of external IPs, storage buckets, API endpoints, user roles, cloudsetup, and more. If you are developing applications, your provider should ask fordemos of the apps to get a thorough understanding of the key functionality toproperly scope. The cloud penetration test is often overlooked but is essential forbusinesses that leverage cloud service providers.2) Don’t Fall For the FauxA common misconception is that a vulnerability scan is the same thing as apenetration test. While these two tests can complement each other, they are notthe same and a vulnerability scan should not be a substitute for a penetrationtest. A vulnerability scan provides a broad overview of potential weaknessesacross an organization’s IT infrastructure and can apply to any organization,whereas a penetration test will provide proof of exploit with vulnerabilities specificto your business. This ensures your team is focusing on vulnerabilities that areactually exploitable by attackers, not theoretical. Since a vulnerability scan isgeneralized, they are performed by software at a low price point. Penetrationtests are required to comply with certain cybersecurity frameworks, so they aremuch more effective and worthwhile and performed manually by a team ofexperts.3) Ask about Methodology and Scoring FrameworksThe Penetration Testing Execution Standard (PTES), a framework that providesa structured approach for conducting a penetration test, should be a part of aqualified provider's methodology. The PTES aims to standardize the penetrationtesting process across different testers and organizations so that all critical areasare covered.Beyond the PTES, the tester should use a Vulnerability Scoring Framework toassess your risk and highlight proactive solutions. The Common VulnerabilityScoring System (CVSS) and Exploit Prediction Scoring System (EPSS) bothprovide valuable information for vulnerability management and risk assessment.The EPSS goes beyond the CVSS and is a data-driven approach that predictsthe likelihood of a vulnerability being exploited specific to your business. Look fora provider that uses EPSS to most effectively assess your risk.4) Assess Regulatory and Compliance AcumenA high-quality penetration test provider should have a comprehensiveunderstanding of your industry and compliance regulations. The penetration testis only one part of a cybersecurity program. Find a provider who can work withyou to create a tailored cybersecurity program that effectively addresses yourvulnerabilities and meets stringent compliance requirements while enabling youto meet your business objectives.5) A Custom Approach for Proactive InsightsA one-size-fits-all approach is not an effective strategy for penetration testing andoften wastes time and resources, without providing actionable insights. Choose aprovider that will create a custom plan to your organization’s goals. The rightprovider will help you interpret the results of the test and provide detailedrecommendations for remediation. They should then follow up with a retest toensure the vulnerabilities are fixed.Penetration testing is an essential component of an effective cybersecurity programand working with a qualified provider is crucial. Don’t treat the penetration test as acheck-the-box exercise: leverage the valuable insights to effectively fortify yourdefenses. If you’re ready to strengthen your cybersecurity posture through apenetration test, contact the Richey May cybersecurity experts today atinfo@richeymay.com.About the Author: Michael Nouguier has more than 15 years of experience providing enterprise information security and risk management services to various organizations, from mid-market to enterprise, with an emphasis on the financial services industries. Known for leading large and diverse teams of cybersecurity professionals, Michael has a track record of being a trusted and valued partner to clients, providing services that include Strategy & Advisory, vCISO, Digital Forensics & Incident Response, Penetration Testing, Vulnerability Management, Application Security, Implementation and Managed Security Services. His experience includes numerous compliance verticals, including PCI-DSS, Sarbanes-Oxley, HIPAA, GLBA, FISMA, TPN, ISO, SOC, New York State Department of Financial Services Data Security and GDPR while driving consistent delivery of Cybersecurity services in alignment with industry best practices (CIS/NIST/ISO/CMMC). Michael creates sustainable change for his clients by focusing on understanding their overall business priorities and their current state of security to build customized cybersecurity strategies, leading to stronger adoption of practices and ultimately lasting success.
