Penetration tests: Do you really get what you pay for?

When it comes to cyber security, we must discuss difficult questions to have the best defence against attackers. Having a circle of friends who work in Cyber Security and IT, we naturally came onto the discussion of Cyber Security as a growing sector. We spoke of the many new businesses that are breaking into the space. This leads us to the hot topic of Penetration tests and the vulnerabilities that companies are faced within their systems.

As a student of Cyber Security, I know enough to understand that security must be approached with a multi-faceted approach. Cyber Security is more than a box-ticking exercise. Penetration tests can be one of the more expensive ways to protect against threats and vulnerabilities, so I can understand the plight of businesses when they say they dont have the budget. After all, 96% of businesses in the UK are classified as micro. I wondered, when a company paid for that nail-biting cost of a penetration test, how does the client know they have gotten the best test for the money they paid? I always put myself in the position of the client and then try to look from a company’s point of view. What if a penetration tester can find high-risk vulnerabilities that another tester could potentially miss? This led to the discussions of human error, varied skill levels and automation, and collectively a conclusion.

Penetration tests can run from thousands to several thousand and can be very time intensive for the tester. Depending on the scope, for example, the number of IP addresses in the test, internal, external, web app or mobile app. There is much to consider at the beginning of a penetration test. Within a cyber security company there will be various levels of penetration testers ranging from juniors to seniors with a range of skills and knowledge accumulated over the years. However, testing systems is much like medicine, there will never be a Doctor that is an expert in every area of the human body. They specialise and are better in certain areas than others.

A company that outsources its security needs to a third party may feel like penetration testing is the same across the board, however, you may very well pay premium prices but may not receive a premium report. That is not to say that cybersecurity professionals do not know what they are doing or not doing a good job. It’s to say that you may not get the best tester for that specific job at that time. You may get a tester that missed an SQL injection that another test could have picked up.

This is more common than you think a friend tells me who works for an IT company. There are times when companies will pay for the same test across several Cyber Security firms and compare reports. Whoever produces the most concise report is usually the firm that will receive the company’s business for the foreseeable future. Companies that suffer from attacks can often blame the test itself, however the threat landscape is ever changing, a Penetration test can only reveal how secure your systems are at that point in time. As hackers and their attacks become more sophisticated and with the addition of zero-day exploits, you may after a penetration test suffer from an attack. When? Nobody knows it could be 6 months, it could be the very next day.

Will penetration testing ever become automated? We don’t think so. When talk about automation, the best developments are the tester's tools themselves. A company shouldn’t just run a scan and say that everything is ok because they may not be able to analyse the results and investigate their findings.

As an inquisitive student, I wanted to hear from someone outside my circle, so I turned to LinkedIn. I reached out to William Wright the Director at Closed Door Security and asked if it would be ok if I asked him a few questions which he was happy to answer.

I was curious about the process between a client approaching a company for a penetration test and the tester receiving the job. After all, this was large the most of our discussion. William told me that,

“Early in the sales process we discuss client’s requirements and short list our consultants to match. There’s then an internal match-making process where we suggest the work to each short listed consultant and they decide if they want to take the project on”.

I can’t speak for other consultancy firms, although as soon as I read this I thought it was great. That in a team, testers were included in the decision-making process instead of landed with a job they may feel they aren’t up to. William also states,

“We provide a brief on the client’s background; point of contact and any information we’ve gathered. This allows our consultants to do the work they want to do and, by proxy, provides our clients with a committed and involved consultant that they can work with directly throughout the project.”

Cyber Security is a hot topic and has been for several years now. According to the UK Gov Cyber Security Survey, 39% of businesses said that they had suffered an attack, 83% of the attacks were carried out by phishing. It is no surprise that businesses are looking for ways to protect their business, however, penetration tests are one of the most expensive ways to help protect a business. An interesting article written by Herve Debar in 2019 titled Cybersecurity: High cost for companies highlights these very issues, Herve wrote

“Unfortunately, defending against attacks is also very expensive. While an attacker only has to find and exploit one vulnerability, those in charge of defending against attacks have to manage all possible vulnerabilities.”

So how can companies and small businesses who potentially have a tight budget, guarantee that they are getting the best information possible from tests?

William had the following advice for companies,

“Due diligence is a must for Cyber Security. Unfortunately, our industry is plagued with poor quality consultancies and MSP’s who pretend to be specialists. There are a number of accreditation providers, CREST being the most prevalent in the UK, that can provide confidence in a consultancies ability to perform the services they advertise. Specifically in the UK, the cyber industry is very small. Reputation is one of the leading deciding factors and I always suggest to ask others about their experience with consultancies.”

Penetration testing isn’t the wild west it is sometimes made out to be. After speaking to multiple professionals, it’s clear you need to carry out your due diligence. If you can afford to, its best to have several tests and compare reports. If not, research and make sure the business you are dealing with has the necessary credentials.