Digital Threat Digest Insights Careers Let's talk

Common mistakes when engaging a penetration testing consultant


FACT: In 9 out of 10 internal penetration tests we undertake, we are able to achieve a complete compromise of the network due to simple configuration mistakes.

Like it or not, as organisations rely more and more on networks, automation of business processes, and management of client data, they become more vulnerable to attack. And despite all the clichés about business continuity, the threat is real and evolving, with a third of businesses reporting a cyber-attack in the last 12 months.

Penetration testing and configuration reviews can help organisations identify network, system and application vulnerabilities, decreasing the number of avenues hackers can take to access valuable business information. And in world where the cyber threat is constantly evolving, it’s important to understand where your organisation’s risk exists, to ensure you can defend your organisation’s key assets.

However, not all security testing services are the same.

We’ve all purchased a product that isn’t quite up to scratch and normally it’s a matter of returning it for a refund. But in the case of a penetration test, if you don’t know that what you’ve bought isn’t doing what it’s supposed to, it can have disastrous consequences – malicious parties gaining access to your network and wreaking havoc on your bottom line and reputation.

We’ve identified the three key mistakes many organisations make when engaging a penetration tester, and the three key questions you need to ask to make sure you’re getting what you’ve paid for:

Mistake #1 – Buying unaccredited penetration testing services

All penetration testing services you buy should be conducted by qualified consultants who hold relevant and in-date industry qualifications, such as Qualified Security Team Member (QSTM/CSTM), Check Team Lead (CTL), Check Team Member (CTM), Senior Security Tester (SST), and Offensive Security Certified Professional (OSCP).

These qualifications give organisations peace of mind that the testers they have engaged are professional, have undertaken rigorous training and are able to demonstrate both their theoretical and practical knowledge of security at a professional level. Always ensure that you check the credentials of the professional services you engage.

You should also be looking at the other businesses your chosen supplier works with to ensure they have the background knowledge of your industry and specific needs.

Mistake #2 – Buying fewer consultancy days to fit into company budget

Although the length of time it takes to conduct a penetration test is entirely dependent on the size of the systems or applications in scope – as an example, a medium-sized organisation should expect to be quoted around 5-10 days consultancy.

Organisations should be wary of investing in consultancy days that seem significantly less than the above; it may mean you’re not getting the coverage of testing your systems or applications need. To be sure, just like every other service, request several quotes from different suppliers and ensure that each supplier confirms the scope of exactly what is being tested in this time and to what depth.

Mistake #3 – Not having results clearly explained

Your consultant should be available throughout the whole test to answer any questions and queries that you may have. They should introduce themselves to you prior to the engagement and ensure that you have their contact details. Any results that the consultant discovers during the course of the test which would be categorised as ‘critical’ should be brought to your attention immediately.

At the end of the test you should receive the report in 5-7 working days, dependent on the size of the engagement. The penetration test report should consist of an executive summary, which gives you a non-technical overview of any of the issues found, allow the you to understand the risk posed to the organisation; the severity and likelihood of those risks occurring; and the speed and ease with which they can be mitigated. The rest of the report should be a technical breakdown of the risks and vulnerabilities that have been uncovered, their severity, and the recommendations for mitigation.

This technical section of the report is intended to be read by an IT department or equivalent and will provide the necessary technical explanation for them to address any concerns.

How to avoid these mistakes – ask questions

While it’s useful to know about the possible mistakes, it’s just as important to know how you can avoid them. Here are three questions we believe you should ask about penetration testing to ensure you’re getting the best value for money.

1. Do I need a Penetration Test?

Many customers talk to us thinking they need a penetration test, but after further discussions we find that a vulnerability scan or assessment suits their needs much better. A vulnerability assessment looks for known vulnerabilities in your system, using a scanning tool, and reports any potential exposure. Unlike a vulnerability scan—which is an automated process—a penetration test is a manual test performed by what some may call, an ‘ethical hacker’ to assess the security posture of your organisation’s systems and networks. A vulnerability scan can be considerably more cost effective for an organisation, especially those whose business is not reliant on a web facing application.

Read more on the difference between penetration tests and vulnerability assessments.

2. How much will it cost?

The cost of a penetration test will depend entirely on the size of the systems and applications to be tested. As mentioned, medium sized organisations (that’s businesses of between 250 and 1000 employees) can expect to be quoted around 10 days consultancy for internal testing, and 5 days for website or external testing. This will usually cost between £3,250 and £6,500.

3. How will I be informed of my test results?

At the start of an external test, the tester will call you and let you know that they are starting. Our testers will always inform you of any critical vulnerabilities they find during the course of the test. Internal testers will perform their test on your site and are always available for you to ask questions or seek clarifications. On completion of the test you will receive a report which will cover any issues found and include both an executive summary and detailed technical breakdown.

How can PGI help?

Our team have years of experience identifying risk for the clients we work for. From solicitors to government departments, as well as online retailers and healthcare providers, we’re proud of the depth and breadth of the service we provide in finding exploitable technical vulnerabilities in your systems before the bad guys do.

PGI Penetration Testers are highly accredited and have gained a unique insight into the opportunities that attackers are looking for and which aspects of your system they view as a possible weakness. We use the most effective methods to identify vulnerabilities, without disrupting operations, allowing us to highlight problem areas and work with you to identify the most suitable solutions.

If you have any questions about penetration testing or configuration reviews, or would like to learn more about our consultants here at PGI, please get in touch with us and speak with one of the team.