Consumer Guide | Shearwater Ethical Hacking

shearwater.com.au Consulting | Penetration Testing | Security Operations | Compliance | Security Education

If your organisation is like most, chances are you handle sensitive information every day. From customer data to intellectual property, keeping company information safe is critical for the long-term viability of your business.

Penetration testing is one of the most powerful and effective ways to ensure the security of this information and your broader IT environment. By identifying security vulnerabilities and developing customised solutions to address them, penetration testing protects your organisation against security breaches and prevents sensitive data from falling into the wrong hands.

9 traits of a reliable penetration testing partner

1. Conducts a comprehensive penetration test – not just a vulnerability assessment

There is a real and significant difference between vulnerability assessments (an automated screening which lists and prioritises vulnerabilities) and a proper penetration test (a goal-oriented exercise which simulates a cyber-attack). While vulnerability assessments generate useful information, the results are generally substandard when compared to a penetration test. Penetration testing – in which testers must actively try and exploit vulnerabilities and flaws in your business logic – is most powerful for truly understanding the risks your organisation faces.

Penetration testing vs. vulnerability assessments - what’s the difference?

A penetration test simulates a malicious attack to evaluate the security of a computer system or network. A vulnerability assessment only identifies publicly disclosed vulnerabilities in a system.

The challenge of finding the right penetration tester

With an array of players in the penetration testing industry, choosing the right testing provider can be overwhelming. It’s essential to do your research and ensure your chosen penetration testing provider is proven, reliable and professional beyond reproach.

You will rely on your chosen provider to interrogate your business systems and use complex tools to bombard your IT network. If the provider lacks knowledge and experience in applying their tools to diverse IT environments, you may waste your money and fail to see results. Worse, your IT environment could be damaged, changed or taken down if penetration testing tools are not appropriately configured for your specific environment.

So, how do you select the right partner for penetration testing? This guide outlines the nine most important traits you should assess from a penetration tester to ensure you get the best outcome in protecting your organisation.

Choosing the right penetration testing company

2. Has a strong track record of value for money services

In the penetration testing industry, you get what you pay for. A careful assessment of the specific offerings, approaches and guarantees provided by each penetration testing company will help you maximise value for the amount you pay. Look for companies with a strong brand in the market that are dedicated to spending time to learn and understand your environment, and tailor their approach to your business context.

shearwater.com.au Consulting | Penetration Testing | Security Operations | Compliance | Security Education

3. Conducts penetration testing as a core offering

Being at the forefront of the cybersecurity industry is paramount to successful penetration testing. Maintaining this position requires that team members are consistently conducting tests in diverse environments and staying up-to-date on the latest security research, trends and attack vectors. You may find that many companies conduct penetration testing as a value-added service, rather than as a core offering. In this instance, it’s worth investing the time and effort to source a provider for whom penetration testing is core business.

4. Has objective proof of capability

There is a huge range of capability in the penetration testing market, from specialised experts at the top end of the spectrum through to individuals who have learned to run hacking software at the other end. It’s essential to choose a capable partner with proof of prior experience and success.

Review sample reports to ensure they are professional, thorough and offer actionable remediation advice.

Look for recognised penetration testing certifications such as those from the SANS Institute (GPEN, GWAPT), Offensive Security (OSCP, OSCE) or CREST.

Review the credentials of the testing team to ensure they bring sufficient experience.

Ask for references from past clients and find out what they valued most.

5. Delivers customised and practical reports

After a penetration testing exercise, you can expect to receive a report summarising the key findings and next steps for remediation. If a report is not written in a way that you can understand, or if remediation activities are not practical for your budget or environment, you will realise limited value from penetration testing. Before engaging a provider, make sure you will receive a report that is meaningful, helpful and customised for your environment. Be wary of software-driven canned reports (such as those generated through vulnerability assessments). Remember, you can ask for previous reports and sample reports to confirm that the approach is comprehensive and suited to your business goals.

6. Conducts testing before an application is moved into production

Penetration testing generally involves sophisticated and targeted attacks on your IT environment or applications to identify vulnerabilities. Ideally, this testing should be conducted during the user acceptance testing phase – before an application or system is moved into production. This will allow testers to try different attack vectors without presenting a risk to business continuity. However, if this isn’t practical, it’s never too late to conduct a penetration test. Expert providers can conduct effective testing post-production with minimal downtime risk. It is crucial that this is highlighted and discussed in detail during an initial scoping call.

7. Independence from your day-to-day IT operations

An existing business relationship shouldn’t be a condition for selecting your penetration testing provider. System administrators, for example, typically don’t make good penetration testers because they’ve often already closed the holes they know about. Defending against and performing attacks is a completely different mindset. It requires someone who brings specialist skills and, ideally, can look at your company’s IT environment from an outsider’s perspective. Don’t be afraid to search outside your existing relationships for the right penetration testing expert.

8. Proactive security approach, not just a ‘tick the box’ exercise

With the swathes of sensitive data held by organisations today, penetration testing should not be treated as a ‘tick the box’ exercise. When selecting a penetration testing provider, be cautious of companies who promote that they’ll just help you to get through an audit. Instead, look to engage a partner who has a proactive security mindset – this will drive vastly better results that will save you time, effort and money long term.

Why hire penetration testing specialists?

A penetration testing company will identify and prioritise cyber security issues and provide actionable, precise steps to address them. Penetration testing companies also hire specialist penetration testers with deeper experience than most in-house IT resources. This knowledge comes in handy given that different compliance standards often require different methods of penetration testing at varying intervals.

Opt for a structured approach

Your chosen penetration testing company should have a structured approach that meets your requirements and timeframes. To ensure nothing is missed, each penetration test should be treated as part of a larger cyber security journey, not as a one-off test. Each stage of a penetration test should fit neatly together to form a complete project.

Begin at the beginning

A penetration testing firm should work with you from build-up, where detailed requirements are defined, all the way to close-down. By this point you should have a clear path and understand the steps to take to meet your business requirements.

9. Conducts a scoping exercise as part of the testing

Reputable and professional penetration testing providers will undertake a thorough scoping exercise before conducting a penetration test. Scoping exercises help you and the provider to define your goals and objectives, and accurately ascertain the size and breadth of the assessment. You may be considering a ‘black box’ assessment (testing without any prior knowledge), but this often ends up costing more money for less value. An ethical and professional testing company will guide you to get the most value out of a penetration test.

About ShearwaterShearwater is a specialist information security service provider. Since 2003, the company has secured the technology and flow of information that have enabled millions of transactions across government organisations and private enterprise.

Shearwater’s expertise and non-negotiable focus on the information security space has put it at the forefront of security education, penetration testing, operational security management and threat intelligence. The company also enables organisations to implement rigorous security policies and helps them achieve, maintain and prove compliance with security standards.

Shearwater provides one of the most comprehensive security reports in Australia. Its executive level reporting highlights to businesses the risks associated with the security of their information, whilst also providing actionable recommendations to the internal security team. The company prides itself on its client communication, customer service, fast response, and on-time delivery. Learn more at www.shearwater.com.au.

Get in touch

1300 228 872 shearwater.com.au

Whatever your Information Security challenge, we’re here to help you find the right solution. Sydney I Melbourne I Canberra I Brisbane I Perth

Solution Overview | Shearwater Ethical Hacking

So, how do you find out if your potential penetration testing provider fits the bill? Don’t be afraid to ask them the following questions before you agree to engage them:

Questions to ask a potential penetration tester

Are you certified to conduct the penetration test to a standard that will meet my compliance requirements?

Does your company have a dedicated penetration testing team?

What experience and qualifications do your penetration testers have?

Will you complete a scoping exercise in advance of the penetration test?

What software do you use? Is it commercial software or open source?

Can you explain in detail your penetration testing methodology, and how it is different to a vulnerability scan?

Will your report rank each finding and be specific to our organisation, and do you provide recommendations that are applicable and achievable for our environment?

Does your company perform close down meetings where the findings are explained for both business and technical audiences?

Can you provide any references?

Shearwater is a specialist information security services provider, providing a combination of integrated services and capabilities through our highly experienced information security and risk professionals. You can be assured that, in engaging Shearwater, you will work with a proven, reliable and professional penetration testing partner.

Transparent ApproachWe are known for the high level of interaction and effective communication we provide during engagement. We provide information ahead of time about our testing approach and are readily available to discuss questions and concerns.

Comprehensive We manually validate automated findings and eliminate false positives. We also look for vulnerabilities that automated tools are unable to find, such as business logic flaws.

Responsive We listen to our clients to understand their goals. Our team also alerts security staff in real time to critical vulnerabilities and threats discovered.

Professional Our testing is non-disruptive and the risk of a system downtime is minimal.

Post engagement follow-upOur post engagement follow-up is an additional benefit that allows clients to engage us with questions, or seek guidance on issues referred to in our penetration testing report.

The Open Web Application Security Project (OWASP)

The National Institute of Standards and Technology (NIST) Source Security Testing

Methodology Manual (OSSTMM) Penetration Testing and Execution Standard (PTES)

Penetration Testing Framework Australian Government Security Policies and Guidelines

Penetration Testing Standards we follow:

Our Certifications

Comprehensive reportingShearwater Ethical Hacking offers in-depth executive level reporting which serves as a risk minimisation tool for management, and a technical document – listing vulnerabilities prioritised according to risk level – for the internal security team. The report also provides private enterprise and government with access to mitigation strategies based on Shearwater’s key insights into the cyber-threat landscape.