Nine questions to ask when hiring a pentester

10 September 2018

Every company holds valuable information, even if they don’t believe so themselves. Just think of salary information, customer emails, R&D information, customer credit card details, patient information,… Even if the data, in itself, is not valuable, leaking it may cause a company reputational damage. Pentesting – short for penetration testing – can help an organization find out how well protected – or how vulnerable – its information and IT infrastructure are.

Let’s not kid ourselves: the number of cyberattacks will only increase, and these attacks get more sophisticated all the time. A hacker has all the time in the world and has no budget restrictions: if someone is out to get through your protection, they can keep gathering information on your company and try a thousand times to hack inside your systems. A pentester does exactly the same. This "ethical hacker" seeks information on your infrastructure and security equipment, explores vulnerabilities and investigates how he can exploit these weak points.

Unfortunately, not all pentesters are created equally and it may be hard to choose the right company to work with. These questions will help you find the best pentester.

Are you certified?

Hackers are getting smarter all the time, and so should pentesters. A number of certifications exist, such as GPEN from SANS, that guarantee pentesters have the right knowledge and attitude. To keep this certification, they are kept up to speed with the necessary training. NATO-clearance is proof of good background checks. NATO-clearance goes way beyond picking up proof of good behavior and morals at the city administration.

What report do you deliver?

Don't settle for a mere print of the testing results from an analytical tool. A good pentester will deliver a manual report, that takes the context into consideration and comes with a number of recommendations. Anyone can deliver automated test results, it is much harder to analyze and interpret results. That's what a good pentester will do.

Do you have field experience?

While we have the greatest respect for professionals who pentest day in and day out, it may be best to hire a pentester who also has field experience as an engineer and as an integrator. A security specialist, who is also involved in implementing security equipment, knows from experience what can go wrong in the installation. Having this background will help the pentester get results more efficiently.

What is your methodology?

A number of approaches are possible when performing a pentest. People often refer to black box testing (where the tester starts out with no system knowledge at all), white box testing (where the pentester is given a load of information at the start of the process) and grey box testing (where the pentester is given limited information). While all three approaches are valid, it is quite important to ask a pentester what process is followed, what different steps are taken and what tools are used in what part of the process. At Simac, we recommend an approach that blends the three traditional types of pentesting.

Do you go beyond an audit?

Security audits typically rely on interviews and inventories of the security systems installed. Pentesting goes much further than that and actually takes the systems to the test, often finding problems that go undetected in an audit.

Do you use tools?

Tools play a key role in a pentest. High-quality tools can be used to ensure that both testing parameters and results are high-quality and trustworthy. In the hands of a properly trained penetration tester, these tools will provide a quality-assured testing set that can be used to accurately assess an IT infrastructure by penetrating existing vulnerabilities. Tools are not an end in themselves: it will always take a human expert to review and interpret the results.

Will you damage my system?

A hacker may be out to do harm to your systems, blocking your normal operations. When an ethical hacker tries to find vulnerabilities, the same may happen. Fortunately, a pentesters will let you take the necessary backups first, so systems can be restored instantly.

Do you think architecture?

Information security is a jigsaw puzzle where all the pieces need to fit neatly to guarantee optimal security. A pentester must look beyond just the security infrastructure and also needs knowledge about networking, operating systems,… Only someone who takes a helicopter view and sees the bigger picture, can evaluate all parts of the infosecurity landscape. An architectural view is a necessity for a pentester.

When will we meet again?

A pentest delivers a snapshot of your current information security status. If something changes, for instance by implementing a new application, new vulnerabilities may arise. That’s why we recommend doing a pentest at least once a year, but preferably every time a major new application goes into production.

Any type of company is vulnerable, big or small, commercial or non-profit. So any organization will benefit from a pentest. Companies may think they are well equipped with firewalls, anti-virus,… but maximum security is hard to obtain. Pentesting can help you assess just how safe you are.

Simac ICT Belgium has several experienced pentesters who can help companies increase their level of protection. Just ask us the questions you need to ask. We have the answers.

Ethical Hacker Pentester Simac