At a recent ISSA Motor CIty chapter meeting one of our Sr. Security Engineers, Mark Stanislav, presented his thoughts on how the process of hiring Ethical Hacking (EH) services could be better accomplished by an organization who may not be familiar with doing so. During Mark's presentation he outlined ten big-picture topics and sub-points to each, covering a broad set of ideas. We thought we'd share some of those points today in a post regarding this crucial and sometimes complicated process. If your company is trying to hire penetration testing services (or other EH projects), we hope these notes may give you a bit better of a sense of what to expect and how to ensure success with your project.
Understand Why You Need the Service
It's extremely common request for our team to handle a penetration test or web application security review for an organization based on the requirements of their customer or a compliance auditor. However, we always make sure that the service they are requesting is the service that they actually need. Because of the rather broad set of phases thrown around for Ethical Hacking services, customers sometimes are told to have "security testing" done, but not much more guidance is given. We highly recommend that for any required services a very clear statement of expectations is provided to you by your customer or auditor. Further, auditors should be able to clearly state, "You require an external penetration test.", or "You require a web application security review.", and not simply, "Test your security!".
Communicate With Your Teams
While the reasons for an Ethical Hacking project may vary customer-to-customer, we generally advise sharing the discussion with as many stakeholders as possible. We recommend to customers to let their team leaders, IT security managers, ISPs, data centers, and cloud services providers all know of the pending work. If we are interrupted during testing due to someone blacklisting our IP addresses or having an ISP null-route our network, the ability for us to assess security is highly impeded. Unless the goal of the test is a fully-stealth assessment, we recommend letting us test and report with the least impedance beyond proper security controls (e.g. IPS, existing firewalls, etc.). By communicating with your teams, everyone will be able to receive the most value from the work and we can do ours as intended!
Don't "Fix Things" During Testing
It's extremely tempting for a developer or systems administrator to make adjustments during a security assessment to slant the outcomes a bit more favorable to their roles. However, changing code or configuration during an assessment can lead to confusion among the people assessing your security which leads to delays and inaccurate findings. Unimpeded testing allows the professional that your organization has hired to best do their job and accurately represent the current status of information security. The myopic attitude of "I'll fix it before it's on the report" will likely end-up with us investigating with leadership why and how something changed during our work and still figuring out what changed and why. Letting the results stand as results gives a great way to have a direction for real, honest improvement for your organization which will surely benefit everyone in the long run.
We hope that you have found some value and insight in these points. While there are certainly many more that Mark shared with his audience, we thought these may give some direction to the organizations out there having to hire Ethical Hacking services for the first time! As always, we're happy to discuss how we handle EH projects, from penetration testing and vulnerability assessment, to web application security and code reviews. Feel free to contact us via the "Contact Us" button below for any additional information your organization needs about these important services.