A client’s network, services, and resources should not be used as a penetration tester(s) training ground. The penetration tester(s) should be knowledgeable and experienced with appropriate training and certifications for the types of testing being performed. Additionally, the penetration tester(s) should be adequately vetted, including background checks to help ensure the safety and security of the penetration testing company and their clients.
Automated scanners are valuable tools during a penetration test, but they can miss important findings and may also return false positives. A penetration tester should always perform manual testing and verify all findings to ensure that they are accurate and complete.
There should be a clear scope and rules of engagement (RoE) established and agreed upon before testing begins. This will help to detail and clarify what resources should be tested — web application pen tests, network penetration testing, physical pen testing, etc — and what methodologies and testing steps may be taken, and how and when those steps may be executed over the course of an engagement.
The company should follow appropriate penetration testing methodologies and industry standards. This will help to ensure that a test is performed consistently and completely with repeatable results.
Information Security is an extremely broad field that changes every day. While there may be some overlapping skillsets among individuals in the industry, specialization can help to ensure expertise in specific service areas and may result in higher quality testing and results.
The penetration tester(s) should communicate clearly and often throughout the testing process. This helps to keep stakeholders up to date as testing is performed, and aware of any critical discoveries. When testing is complete, a clear report should be a requirement for any penetration test and should include details and evidence of the vulnerabilities discovered, how and where the vulnerabilities were discovered, and recommendations for remediation.
A penetration testing company should be professional and reputable within the industry, be willing to provide references and sample reports, and should always be respectful to the client.
A penetration testing vendor should provide retesting services to ensure that a client’s remediation efforts are successful. Make sure that the company allows for retesting and understand what that retesting policy does or does not include.
Make sure that the penetration testing company has controls in place to keep sensitive client data safe and secure before, during and after a test.
A penetration tester should always strive to do no harm to the network or services being tested. However, unexpected situations can occur which may result in unintended downtime. In the event that a disruption or data leak occurs as a result of testing, it is important to ensure that the penetration testing company is insured and can cover potential losses that may occur as a result.
Schedule your appointment online or contact us today at 612-234-7848. Connect with RedTeam Security today to ensure your company is doing everything it can to protect your computer systems and your business integrity.