Evaluating Penetration Testing Companies Ask Questions
Ask Questions When Evaluating Penetration Testing Companies
Penetration testing should be done at least once a year to help protect your systems and keep your business compliant with your IT.
Although these tests are necessary, many people don’t know what to look for when hiring a vendor. Knowing how to evaluate these professionals can help you attain the best services for your money. Here are just a few questions to ask when hiring a penetration tester!
Tell Me How Your Penetration Testing Is Different
Penetration testing takes the vulnerability assessment a step further by actually attempting to get information from your organization. Rather than just identifying weaknesses, penetration testers try to exploit these weaknesses to gain valuable insight into how your systems work.
Have your penetration tester tell you about their testing methods. How much of their testing is automated? No more than 20% should be automated; otherwise, you likely have a company that’ll solely utilize tools and scanners rather than actual techniques to get into your system.
Do Your Testers Hold Certifications?
The person you meet may not be the one conducting your penetration test. You want to make sure their employees are educated, experienced, and current on the most recent security tactics. Ask about what certifications they hold. Good ones to look out for are Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), and Offensive Security Certified Professional (OSCP).
Walk Me through Your Process When Performing the Test
Every company’s process for conducting their penetration testing will be different. However, core strategies should be relatively similar. Let them tell you about their outline and what methods are used during each step in the process. This will help you evaluate their techniques against other companies and determine which one best fits your needs.
The tools they use and why are crucial. If you have them explain their need for certain tools, you’ll get a glimpse into their expertise. Your penetration tester should always have concrete methods, not conduct random scans. Have them walk you through their general process for identifying and probing weaknesses in your system.
What Measures Will Be in Place for Keeping My Systems Available During Testing?
Penetration tests are exactly what they claim to be—attacks in an attempt to gain information. No company can guarantee that your systems will remain up throughout the test, but experienced testers should have some idea of whether a certain attack will hinder your system or service.
During penetration testing, your vendor should keep you updated and work to address these concerns and help keep your systems running. Monitoring progress is essential, although communication should be in place before the test starts about what measures will be in place to keep system availability on schedule.
How Will You Protect My Data?
Your data is vulnerable and will remain so during the exchange of information regarding what your tester finds during the process. You’ll want to make sure that encryption is used to protect data and ask them about how they’ll deliver results of the test.
This information should never be sent through email; encrypted email or an on-site presentation is best. How they’ll report findings is important, so talk with your prospective vendor about their methods for sending data.
When it comes to penetration testing, knowing the right kinds of questions to ask your vendor can help you secure the most experienced professionals. You should have a clear idea of the process as well as their methods and expertise after the interview. Penetration testing is an excellent tool if done correctly!