My Vendor Requires a Penetration Test, Where do I Start?

Many of our clients come to us when a client or third-party vendor requires a penetration test, and they have to provide proof to them that they have completed a penetration test. The conversation ranges from “I have no idea where to start” to “what the heck is a penetration test” to “we currently conduct vulnerability scanning, is this sufficient?” Today, we will explore some of the basics to help you get started.

What is a Penetration Test?

Unfortunately, we have found many third parties are merely putting a single bullet on a questionnaire that states “Client conducts penetration testing”. Great, now what in the world is a company exactly supposed to do with that?! There are various types of penetration testing that look at very different and specific aspects of your security. Generally speaking, we take this vague statement to be an external penetration test in most scenarios. An external penetration test emulates an attacker trying to break into your company from the Internet. But there a many other types of penetration tests and security assessments including:

• Internal Penetration Test – Once you’ve got a good handle on our external perimeter, it’s really critical that you don’t stop there. An internal penetration test helps you understand security within your network and helps quantify the risk should an attacker get an initial foothold or there is a malicious insider on your network. Slightly more expensive than an external penetration test given the additional time required to assess all of your internal systems, an internal penetration test is the next logical step after an external penetration test for most organizations. You’ll want to prepare for a lot more findings as compared to an external pen, but these are things that will greatly improve your organizational security in the long run.
  
• Web Application Penetration Test – Once you’ve understood your risk at the network-layer, you’ll want to focus your efforts on understanding your risk at the application-layer, as well. This type of test will assess both the unauthenticated and authenticated portions of a target web application to identify weaknesses that could allow unauthorized access, lateral movement (one user getting another user’s data), or privilege escalation, just to name a few. Most organizations start by assessing their most critical, in-house developed applications. Pricing for this kind of assessment can greatly vary, so check out our blog that addresses that topic for a better understanding.
  
• Social Engineering Assessment – All of the assessments we’ve talked about this far are looking at technical assets from different perspectives, but a social engineering engagement focuses on your employees. During this type of engagement, we’ll use a combination of phishing, spear-phishing, and vishing (phone-based attacks) to understand the level of risk your employees represent to the organization. No matter how many security controls you have in place and how strong your external perimeter is, all it takes is one employee clicking a link to provide an attacker immediate access to your internal network. Many times, this is the primary way that attackers will attempt to gain access to a network because it’s the easiest and most efficient for them. This type of assessment is priced based off the sample size of employees being tested, but starts at around $3,000.

As you can see, there are many flavors of penetration testing that vary greatly in price and test different aspects of your security posture. That is why when you just see “penetration testing” on your vendor questionnaire, you should always confirm what exactly they are looking for.

Where Should I Start?

Step 1: The first thing we always recommend is asking the third party to be more specific as to what type of penetration test they are requiring, if necessary. The last thing you want to do is overpay for a penetration test that you don’t really need, only to find out that it does not satisfy their compliance requirements.

Step 2: If the third party comes back with another vague or ambiguous answer, ask your penetration testing firm that you are planning to engage for the assessment to provide their methodology for the testing they would be performing, so that you can subsequently provide this to the third party. Ask that they review and verify that this will satisfy all requirements.

Step 3: Confirm with the vendor how you will be required to prove that you have conducted a penetration test. Generally speaking, we do not recommend handing over a full report that may have sensitive information that includes security vulnerabilities if it’s not necessary. At Triaxiom, we offer a Certification Letter that details the type of test that was performed and a high level overview of how you performed. This letter does not give away any sensitive information, so in most cases, this may satisfy a third party that you’ve done your due diligence and had testing conducted.

Step 4: Find a penetration testing firm that can complete the testing. We would be happy to assist!

At the end of the day, it can seem daunting to have a penetration test completed if you have not done one in the past. With proper research, vetting of requirements, and preparation, a penetration test can be executed. We highly recommend that if this is your first penetration test, you should start conducting them on at least an annual basis to ensure you are not only satisfying compliance requirements, but also properly safeguarding your company and your clients.