Pentest from scratch: how to prepare and choose a contractor

[Father]

While some hackers attack Russian companies outside the law, others work legally and even receive money from victims. Such "intruders" are engaged in a pentest – a penetration test. Recently, the service has become particularly popular among businesses in Russia.

Read in this article: what is a pentest, how to conduct it for the first time, and what criteria are used to select a performer.

Pentest: what is it and who needs it​

Penetration test is a penetration test that is no different from the actions of cybercriminals. Specialists find vulnerabilities, hack systems, and gain access to personal, financial, or other important data. The only problem is that pentesters pass this path in advance, so that real intruders don't use it later.

Ilya Kostyulin
Head of Security Analysis at Awillix

If you haven't done a pentest in more than a year, then you need one. About 25,000 vulnerabilities are discovered per year. Companies may not always be able to monitor all services and install the latest updates. In addition, configuration errors are added. As a result, by building vulnerability chains and searching for additional information, an attacker can penetrate the protected perimeter.

The pentest is especially important for companies that have recently introduced new solutions and products. And doubly so - if they violate the confidentiality, integrity, and availability of information can negatively affect the organization's processes.

Businesses often order a pentest because regulators require it. But the most urgent reason, according to experts, is the maturity of cybersecurity processes in the company. Simply put, at some point, information security audits and the use of best practices will not be enough. The company understands that a real security check is needed. That's when she decides to order a pentest.

How to prepare for the first pentest​

It doesn't matter what was the reason for applying for the service. Much more important is how the company approaches the procedure, according to Cyber Media's interlocutors.

If the company conducts a pentest from scratch, experts advise:

• clarify the intruder's model-it is advisable to understand which resources are most critical, and fix them as goals for the contractor;
• understand and formulate the purpose of testing – this will allow you to select performers more accurately based on their experience;
• decide on the testing method (white, gray, or black box), the time frame and budget for conducting the pentest, and mandatory reporting requirements;
• check the availability of all necessary documents and agreements, including NDA and documentation that will allow the contractor to better understand the company's business processes and risks.;
• start with external testing – the first results will help you understand how long it will take to fix the shortcomings and whether further research is needed.

But first of all, experts recommend putting your IT infrastructure in order in advance. In particular, before deciding to order a pentest and search for a contractor, you need to enable all available information security tools.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

The pentest should be as similar as possible to a real attack. On the one hand, you need to prepare, and on the other-do not deceive yourself. If something is not configured, it's time to put everything in order.

To make the pentest as effective as possible, you need to prepare a technical task. The result of the entire study may depend on how well it is prescribed.

How to create a technical task for a pentest​

It's one thing when a company plans to search for a contractor through a competition and place the TOR in the public domain. In this case, Cyber Media's interlocutors recommend not to talk about the company's infrastructure in the document. This is sensitive data that hackers can take advantage of. It is better to list the types of work that need to be carried out within the framework of the pentest.

Another approach to finding a contractor is a closed competition. The company prepares technical specifications and sends them to the list of trusted performers.

Dmitry Ilnitsky
Head of Pre-Sale Department at Bastion

In this case, it is important to reflect the size of the infrastructure. For example, for the internal one, you should specify the number of hosts, the availability of a web resource in the form of a corporate portal or knowledge base (SAP, 1C, Bitrix). For external infrastructure — the number of IP addresses and the number of web resources that need to be tested. It is also advisable to include requirements for specialists of the service provider in the TOR: availability of Offensive Security certificates and work experience in your field.

According to him, a specialist who is well aware of the state of the company's IT infrastructure should draw up technical specifications and look for a contractor. Such an employee understands what business processes pass through it and how data is transmitted.

Evgeny Rodygin
Director of the Information Security and Special Projects Department at IVA Technologies

We recommend that the agreement include non-disclosure requirements and the limits/restrictions of the pentest. It is important to clearly define what the performer can and cannot do, what components of the system should not be affected, what information should not be read, what pentest methods will be used, and attack points. It is also necessary to reflect ethical issues and responsibilities, coordination of co-executors, etc.

The expert also reminds that it is better to record the reporting in the TOR, the procedure for conducting the pentest, and agree in advance on what is the result of it. Otherwise, you will have to start the process again.

Order a pentest: choose a performer​

The obvious parameters are the contractor's reputation and experience. If the company has been engaged in pentest for many years and customers leave positive feedback, then it can be considered.

Diana Solovyova
Head of Network Solutions, Information Security Systems, Collaboration and Messaging Systems, ICL Services

Perhaps the most important thing is to make sure that the chosen contractor can ensure the security of the received data. Disclosing the contents of the test report to third parties can lead to serious risks for the customer company. You should make sure that the chosen contractor follows strict rules and procedures to ensure confidentiality.

Experts also recommend checking whether the contractor has a license from the FSTEC of Russia to provide the service. It is also important that all project performers are full-time employees of the performer.

Conclusions​

Pentest is a service offered today by dozens of companies in Russia. Choosing an artist is not easy, especially if the research needs to be done for the first time. Nevertheless, the approach to finding a contractor is no different from other situations. Often, it is enough to rely on the organization's experience, reputation, and availability of certificates.

Finally, to order a pentest and get an adequate result, you should double-check the company's IT infrastructure and documentation in advance. Training will help you not only identify new vulnerabilities, but also understand whether the organization is ready for external information security research at all.