When selecting a penetration testing company there are many factors to consider, not the least of which is the integrity and technical skill of their team. The first, and most critical, step is to decided whether or not you trust the team you’re considering. Make no mistake about it; you are inviting a third-party to attempt to compromise your most critical IT assets. If you do not have the utmost trust in the team you're about to hire - stop immediately and consider alternatives. With the global increase in corporate data breaches there is also a rise in penetration testing companies. So how do you know if you can trust the team you’re hiring? If the company has been around for a while it should be as easy as asking for references. However, if they’re a relatively new company, like Gray Tier, then it’s a bit harder. Regardless, you should still ask about previous clients. You should also ask about their methodology? How they approach their testing? What are their rules of engagement (ROE)? What is the background of the individual team members? How do they minimize risk to your assets during an engagement? These are just a few of the questions we expect our clients to ask, and likewise we should be able to provide answers to your satisfaction.
Gray Tier’s foundation is deeply rooted in protecting military networks where we honed our skills defending mission critical systems from world-wide cyber threats. We have conducted penetration tests on sensitive U.S. government systems where being thorough and careful were absolute requirements. Whether we are conducting penetration tests on government or commercial networks we generally follow the Penetration Testing Execution Standard (PTES) which consists of 7 phases:
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Post Exploitation
We want to stress that each assessment is completely tailored to the client which is why we will spend as much time as needed in the pre-engagement phase to scope the assessment accordingly. Getting the scope right will save you both time and money, and help ensure you get the type of deliverables you’re expecting. In the event that you are not quite sure what you want or need then that’s perfectly fine. It’s also our job to act as a guide by asking you the right questions to get to the heart of what your organization needs from an assessment. It also in the pre-engagement phase where we will establish the Rules of Engagement (ROE) for the entire assessment. Your priorities are our priorities. We’ll ask a series of questions to fully understand that the left and right boundaries for each of the additional phases of the engagement. What systems are in scope? How would you like us to proceed if a system is penetrated? What are the assessment hours, and so on? This is also the time to bring up any additional concerns you may have. At the end of the pre-engagement phase you should fully trust the team you’re hiring, and understand what actions are about to be conducted on your network.
Once you’ve vetted a potential company the next step is to make sure you’re hiring the right talent. This is a difficult task without intimate knowledge of the security industry. One factor you can look at is the education and certifications of the team members, but this can be deceiving. At Gray Tier we do prefer candidates with technical degrees, such as Computer Science or Engineering, because degrees with high math requirements force students into solving difficult problems. Breaching the security of a network requires dedication and an enjoyment of problem solving; which are traits typical of engineers and scientists. As for certifications our philosophy is simple - if the certification does not require a practical hands on skills portion it’s regarded with scrutiny. To be clear, there are a number of very difficult certifications that do not require a practical skills assessment. However, we’ve encountered too many candidates that are products of boot camps without any demonstrable skills. In our experience certifications with a practical portion tend to weed out those that are good at multiple choice test taking, but can’t necessarily execute. Of course having a degree in science or engineering does not make someone a good penetration tester. Similarly, having a certification with the word “hacker” or phrase “penetration tester” in the title does not guarantee you’re going to get a quality assessment. There are plenty of very talented security professionals that have no formal education or training, but are very skilled in their craft. If you’re in a management position reading this we encourage you to listen to your technical staff when deciding on a penetration testing team.
Ultimately, there is really no way to be sure that you’re hiring the perfect team. When in doubt go with your gut. If your instinct is telling you that something is not right or doesn’t add up then it’s best to listen to that feeling, and look elsewhere.