I have come to learn in the IT security market that we now live in a world where certificates and badges seem to matter the most when people choose a penetration tester firm. I do not know of any hacker that holds any of the governed credentials. So how did this happen? This started with firms and particular bodies attaching guidelines and regulations on testing and using this as a foundation for building many of these credentials which is good but at the same time does not use the common methodology of your typical hacker who is not bound by all these regulations.
Are all certificates bad? No, I believe there are a handful that really are worth doing from academies such as: eLearnSecurity, Offensive Security and another good place to start is Hakin9. The reason I pick these bodies in particular is mainly because they offer lab based training and lab based training is a good practice. Hackers do not come with a badge as the title says but we all need to learn from somewhere and there is nothing better than practising in a simulation because it’s as close to legal real life hacking as you can get while studying. I have seen many penetration testers visiting site and running a script, then leaving. Many written courses mislead students into thinking HTTPS is always secure, when in fact if not implemented correctly may just be encrypting attacks such as SQL injection and cross site scripting. Are all ciphers as strong as they make out?
It is vital for an organisation to understand the purpose of a penetration test, namely highlighting as many security holes in an organisation as possible. A hacker only needs to find a single exploitable hole, whereas a penetration tester/ IT Security engineer has to find them all. Working in IT over the years you notice that the mixture of technology used to provide a service can be quite similar. Take a web application for example: LAMP (Linux, Apache, MySQL & PHP.) All standard components but every implementation is slightly different, such as custom SQL character maps for example. Will a penetration script or automated tool cover checking custom queries?
You might ask why do penetration tests only last X amount of hours or a few days? Do hackers set themselves a deadline of such a short period to get into an organisation? I know bug hunters that are paid on a commission like strategy and can take a month or even longer to find a bug sometimes. Generally the answer to this question is, there is a limited budget or time left at the end of a deployment to run a pen test or worse security is not a high priority and just completed as a tickbox exercise.
Now I’m not saying all regulations are bad, such as guidelines for what needs to be included in a penetration report and an agreement to cover any accidental damage. But asking a penetration tester to prove an attack vector normally comes down to either “we do not do this” or “we are unable to prove this.” This is because some holes are false positives or the penetration company may lack the skills to prove the vulnerability they are showing that could be exploited.
Having conducted many a penetration test I have realised that running through automated tests is a great starting point, however a lot of manual testing has the possibility of highlighting a few more hard to find problems for a client. Also some automated tests give a good foundation for the penetration tester to start and something that is highlighted with a low score could then be developed into something critical with a manual test by changing a part of the test.
Remediation is another topic I’ve seen countless times without a clear explanation. I have read some pretty weak remediation plans that simply look like a copy and paste of a report given by an automated vulnerability scan. When I write a remediation plan that can justify the detected vulnerabilities, I like to break each one into two sections, the first a non-technical version describing where the problem is and how it can be prevented. Secondly a technical section explaining how this is a problem and how this can be eliminated. The reason for writing a remediation plan this way is so that both nontechnical and technical parties can more easily read the report and both be on the same page as such.
It is important for every organisation getting a penetration test done at whatever level, to confirm the credentials provided by a tester are not only legitimate but what type of training they have attended. It is also important to understand the level the person doing the test has worked at, there are many levels of penetration testing. Can the person do manual testing or is this all automated? Is this simply a vulnerability scan? Is there proof of concept for each vulnerability? Can the tester provide a detailed remediation plan and support it?
There is much variation out there when it comes to quotes for penetration testing. Some tests are around the £3,000 mark with others ranging up towards the £40,000 mark. You may get suspicious about the cheaper one or the expensive one may look way too overpriced, but always ask the question of what is actually being offered. Is this just a scan or is this a real penetration test? In the market of IT Security, pricing is varied and the most expensive quote is not always the best suited test for your deployment. It’s about the individual testers conducting the tests on the system and what is agreed.
Just like in other sectors there are good and bad things, the same applies when it comes to the IT Security market offerings. The market is growing at a fast rate and is constantly playing a game of catch up with hackers. Clandestine organisations are hiring hackers, putting them to work in large warehouses in some parts of the world, trying to break into a variety of organisations for valuable data. It may not be your company today and you may not have a known vulnerability yet but you never know what is around the corner. A subscription based security as a service plan may be the best way to keep up these days in a rapidly evolving IT Security market. Your systems are regularly tested for potential exploit points as newly discovered vulnerabilities come out and allows for the long hack to be researched properly on your infrastructure that a one off pen test could not possibly find.