Taking a Best-Practices Approach to Penetration Testing

Written by: Elliott Abraham, CISSP – Senior Security Architect at ADAPTURE

Penetration Testing or, as it’s known somewhat euphemistically, PEN Testing is a vital component of an overall risk management program. PEN Testing is so vital and is taken so seriously that the Payment Card Industry (PCI) in March of 2015 published Penetration Testing Guidance. This guidance is a very extensive work, and it identifies the following as PEN Test goals:

  1. To determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or cardholder data.
  1. To confirm that the applicable controls, such as scope, vulnerability management, methodology, and segmentation, required in PCI DSS are in place.

This guidance goes into detail to outline the criteria for PEN Testing, the qualifications for PEN Testers, and PEN Testing methodologies. At ADAPTURE, we help our clients understand the specific recommendations outlined in the guidance, such as how to properly evaluate a suitable PEN Testing provider.

Best Practices: The Two-Year Rule and Its Challenges

PEN Testing provides a critical window into the inner workings of an organization via its people, processes, and technologies. As such, these tests must be as thorough and as accurate as possible. To maintain the credibility of the process and fidelity of the tests, it is considered a best practice for organizations to rotate PEN Testing vendors every two years. This ensures a new “set of eyes” will be assessing the controls and processes of the organization, thereby eliminating the tendency toward box-checking and complacency.

But just because it’s a best practice doesn’t mean it’s simple and straightforward. There are a few challenges IT leaders typically face when implementing the Two-Year Rule. The first relates to the scheduling and frequency of the PEN Testing. Depending on your organization’s level of compliance requirements, you could require PEN Testing once per year or once per month. Rotating vendors in high-frequency PEN Testing environments can add an additional layer of complexity to an already challenging task. An additional challenge comes after multiple vendors have completed testing: inconsistency in reporting. Regardless of how high-caliber your PEN Testing providers are, the output will differ from vendor to vendor. There is no “universal standard” for PEN Testing reporting. So, when you rotate vendors, your team will constantly need to adjust to a new reporting format and might not be able to quickly glean the same insights across reports.

A third, and probably most critical, challenge arises when the time comes to thoroughly vetting a PEN Testing provider. This is a time-consuming and sometimes arduous task. But great care and consideration must be taken when selecting your next vendor.

Why PEN Testing as Service Makes Sense

Because many ADAPTURE clients experience these challenges with implementing PEN Testing best practices, our consultants routinely craft managed services programs that help these companies remain compliant without the headaches that can accompany a rotating vendor program. We call it PEN Testing as a Service.

Through our deep industry relationships, ADAPTURE has evaluated and carefully vetted an exclusive group of best-of-breed PEN Testing providers. Only the best providers are invited as participants in our Penetration Testing as a Service offering. Our process takes this responsibility off our clients. We begin the service with a strategic planning session that outlines your specific PEN Testing needs. This helps us determine the frequency of your assessments. After that, your work is done. Best-of-breed vendors are brought in to perform your assessments, and all reports are delivered to our staff of expert cybersecurity consultants. Our experts take on the task of evaluating your test results, before compiling them into our detailed reporting format. This ensures that you receive the same report, with the same highly detailed insight, every time a PEN Test is conducted.

The primary focus of this offering is to provide our clients with well-vetted and qualified vendors who will never get complacent when conducting this vital security assessment service.

If you have questions, or if you want to schedule an initial planning meeting, please contact our team today.

References:
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
http://www.pentest-standard.org/index.php/Main_Page