Penetration testing 101: How to offer pen test services

Service provider takeaway: Penetration testing services can prove to be profitable for security services providers and resellers. Learn about the different kinds of pen tests and how to offer pen testing services.

Security folks hate surprises. The last thing we want to learn is that a customer's security defenses aren't very good and a reasonably talented bad guy has taken down an application or stolen sensitive data. So how do you eliminate these surprises? You need to encourage customers to test their environments pretty much like a hacker does -- and do it regularly. Offering penetration testing services is a great and profitable opportunity for value-added resellers (VARs).

If a customer pushes back at all about this, remind them that attackers are testing the customer's defenses daily. Just show them the firewall logs to prove your point. Furthermore, bad guys don't follow a code of ethics. They use any means possible to break into computer networks. Your customer should use those same techniques to determine whether hackers will be successful on their network.

There are multiple ways to offer penetration testing services. Many VARs already provide some level of vulnerability scanning. While this is a good start, vulnerability scans only provide information about what is theoretically vulnerable, not necessarily what is exposed. As we tend to think about security from the perspective of layers, we also need to think about how to layer pen tests to provide a comprehensive offering to customers.

Here are four distinct pen testing service offerings you can provide customers to ensure they have full coverage.

1. Vulnerability scanning: This is a straightforward opportunity and a mature offering. The biggest question you'll face is whether to resell a service offering (like that from Qualys) or to buy a tool and use it internally to scan your customer's networks and systems. Scanning is one of the requirements for nearly every regulation, so this is an easy step along the path to security assurance, since all of your regulated customers need to scan.
2. Infrastructure pen testing: This offering involves a tool that uses live exploits, like Metasploit or Core Impact. You'll use live ammunition, so orchestrate these tests with the client to ensure the minimum amount of disruption. You should test all externally visible IP addresses -- that's what the bad guys out there can see and are likely trying to penetrate. You may also want to see what you can find if you attach to a conference room network, one of the softest parts of a customer's defenses.
3. Application pen testing: Trying to break into applications is probably the most important step nowadays, given that so many attacks ...
   
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchSecurityChannel.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchSecurityChannel.com

   As an existing member of the TechTarget network please activate your SearchSecurityChannel.com account 

   By joining SearchSecurityChannel.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   

   << PREVIOUS | NEXT >>: Penetration testing -- Social engineering, IDS and...

   VIEW ALL IN THIS CATEGORY

   
   

   RELATED CONTENT Security Management Developing a security vendor certification strategy PCI wireless guidelines translate to dollars for VARs Loss leaders: Security products and services to get a foot in the door Offering cloud computing security services to customers Maintaining your customers' security amid layoffs How to turn the HIPAA compliance changes into opportunities HIPAA privacy regulations get some teeth: Be prepared How to establish decommissioning policies and procedures Top security tips for solutions providers Securing configuration management on customer networks Penetration Testing and Ethical Hacking Security site assessment FAQ: Podcast with Joel Scambray How to prepare for network penetration testing services Network penetration tools Top five security service provider tips of 2007 Checklist: Top five security assessment tools Penetration testing tutorial for service providers An introduction to penetration testing and its legal implications for VARs and consultants Penetration testing reconnaissance -- Footprinting, scanning and enumerating Network penetration testing: Ethical hacking tools and techniques Penetration testing -- Big bad bugs Introduction to Penetration Testing for Resellers An introduction to penetration testing and its legal implications for VARs and consultants Penetration testing reconnaissance -- Footprinting, scanning and enumerating Penetration testing -- Social engineering, IDS and honey pots

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   directly target applications. You can use a Web application scanner (HP's WebInspect, IBM's AppScan), but you should also invest in some people that know how to exploit application logic errors. There's no substitute for a skilled application tester to determine what's broken in an application. Once the initial application is compromised, go directly after the database, where the valuable stuff is. If you can get into the database, the customer is owned. It's much better for you to figure this out than a malicious hacker.

4. User testing: This is actually the most fun task for penetration testers. You get to see how gullible most users are. This type of testing can involve emailing fake messages to customer service reps, trying to talk your way into the facility (past security or the receptionist) or even dropping thumb drives in the parking lot to see who will plug them into their machines. Many folks are against social-engineering end users, but not me. Remember, malicious hackers don't have a set of rules. They use social engineering because it works. Don't let social engineering surprise your customer and catch them off-guard.

Offering penetration testing services is a real learning experience for everyone involved. Your testers learn what works and what doesn't and how to adapt to the defenses of the customer. Your customer learns what they've done that is less than effective and usually gets a new appreciation for how vulnerable they really are. And you, as the VAR, get to help pick up the pieces and build a tight long-term relationship with your customer.

About the author

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchSecurityChannel.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.