Put simply, a Penetration test is a simulated attack on a target of evaluation, normally a network or its hosts. The term Penetration Test refers to the attempt to penetrate the target, often using similar or identical methods to that of an attacker. Over the years Penetration Testing has evolved from a small-scale manual focused niche service to a more commoditised and partially automated exercise, although many specialists use a combination of automated and manual tools to conduct a penetration test.

Why conduct a Penetration Test?

There are many reasons to conduct penetration testing both internally (i.e. inside areas of your organisational control, such as within an internal network) and externally (i.e in areas that your target may be accessible from but do not have direct control over such as the Internet). Penetration testing is often used as part of an assurance process and the results are normally combined with a risk assessment in order to determine whether a given project should receive accreditation or sign-off from information security stakeholders. Penetration testing is also used to demonstrate compliance with legislation, including (but not limited to):

* PCI DSS (Payment Card Industry security standards)

* Sarbanes-Oxley (An form of U.S. legislation governing publicly traded U.S. companies)

* HIPAA (Health Insurance Portability and Accountability Act)

* ISO 27001 (Information Security Management System standard)

* Other national government requirements (e.g. CHECK etc.)

What does a Penetration Test Achieve?

A penetration test provides a form of negative testing. Traditionally, forms of testing used in software and IT development focus on positive aspects (i.e. does the target meet functionality requirement x through mechanism y). Penetration testing's negative focus is somewhat different, and answers the question, "What can an attacker do to this system within an agreed timeframe"). A deliverable normally associated with a Penetration Test is the final report which normally contains an executive summary section and detailed technical findings with recommendations for improvement.

How do Penetration Tests compare to Vulnerability Scans?

As mentioned earlier, Penetration testing focuses on negative testing aspects. Vulnerability scans, although highly cost-effective and scalable instead provide a high range of positive-focused tests. Because of the inability of Vulnerability Scanners to understand the context of what they're facing there are limits to what will be found. Despite this, professional penetration testers often use vulnerability scanning tools to cover a large amount of ground in a short time and any professional security tester should be able to use results from your internal scanners to reduce the time required to conduct a penetration test.

Another problem with vulnerability scans is interpretation of results. Again, a professional security testing organisation should be able to assist in interpreting results.

Should Penetration Tests be conducted internally by third parties?

Despite the presence, advantages and limitations of automated scanners, penetration testing is still a highly-skilled job. If your internal security team are comfortable with multiple Operating Systems, understand the concepts and have successfully conducted penetration tests beforehand it can be a good way of reducing the costs associated with hiring expensive consultants. If resources are an issue, or third-party independence is required then it may be better to use third parties. A good third party consultancy will always listen to your needs and try to reach the best solution for you. If they're more focused on testing to the exclusion of your internal team's development then maybe it's time to rethink your supplier.

How do I choose a supplier?

Finding a third party to conduct penetration testing can be difficult. There are a wide range of badges, associations, not to mention the large number of firms offering such services. There's no hard and fast rule to choosing a supplier but a key factor is comfort. If you're not comfortable with your supplier then at the very least you should consider introducing competition. As a general rule of thumb, consider the following:

* Is the supplier connected to or part of another supplier to your organisation? If so, there may be a conflict of interest.

* Does the supplier sell products, especially security products? This may affect the independence of recommendations.

* Does the supplier have vendor affiliations such as Partner or reseller status? If so then it's possible you might not hear the full truth about a product they're affiliated with.

* Is the supplier part of an association? If so, what remit does that association have? Watch out for suppliers using government-only or non-testing certifications as a means of demonstrating capability.

* Does the supplier have a formally written methodology? It's not necessary to wade through it yourself, but a methodology for common forms of testing provides a set of standardised written processes.

* Is Penetration Testing part of the suppliers' core business offering?

* Will the consultant from the meeting lead or otherwise be involved in the Penetration Test? Watch out for a 'bait and switch' where principal consultants attend scoping meetings but are replaced by less senior staff when it comes to conduct the work.

* How experienced are the consultants involved in the engagement? Whilst there are skilled young testers out there, you should be looking for at least 3 years of full-time testing experience from a supplier. Generally most senior consultants should have at least 5 years full-time testing experience and principals 10 years.

* What's in the contract? Make sure that you have a Non-disclosure agreement as well as terms & conditions outlining obligations to both parties.

* How many live accounts does the account manager currently handle? The account manager is key to getting quick response times from the supplier. If the account manager handles too many clients you may find them overloaded or difficult to get hold of.

The best suppliers are not necessarily the most expensive and vice versa. It often makes sense to use big names when a brand name is required and use smaller to medium sized consultancies for other work. Larger consultancies can provide a higher range of services and more streamlined professional account management. Smaller independent consultancies can provide higher value, lower costs and often both and tend to provide closer relationships.