| After you have chosen a penetration testing vendor, follow these guidelines to prepare for the test: Familiarize the firm with your security policy  A good testing firm should ask to see your existing security policy to know what the key areas of security concern are.Decide who in your organization will know about the test  It is best to have few personnel know about the test so that administrators are not tempted to modify their security configuration to block out the testers.Define your point of contact (POC) person  Within your organization, there should be a single person for the testing firm to contact. In the event of an unexpected result, such as an unauthorized server crash, the tester should notify the cut-out POC. Also, if the POC discovers unauthorized activity, he should have the contact information of the testers to notify them to stop the activity. The POC is also responsible for disaster recovery or incident response should unexpected results occur.Create detailed confidentiality agreements and nondisclosure agreements, and verify these with an attorney  You do not want information on a security weakness in your organization to get leaked to others. Although confidentiality statements and nondisclosure agreements in themselves might not prevent this, having them is helpful if you have to prosecute in a court of law.Create a detailed request for proposal (RFP) that lists your objectives in having a penetration test  The vendor should then create a statement of work (SOW) based on the RFP that specifies its rules of engagement that all parties agree on.Confirm what you want included in the report  The report should include the source of threats (internal or external), impact of exploits, relative risk in comparison to effort to secure against attack, and probability of attack occurring. The report analysis should be based on a qualitative risk assessment and not just on the personal opinion of the auditor. You should also consider whether you are going to have recommendations included on how to mitigate risks discovered during testing.Contact your Internet service provider (ISP) about the test  If the test might impact other clients, the ISP will want to know.Avoid introducing major network changes while the test is occurring  You want your test to reflect a stable network, and introducing new changes to your network infrastructure might produce inaccurate results.Perform multiple backups of critical systems prior to engaging the test  Because you are allowing potential access to your critical systems from an outside firm, you should take steps to ensure that you could recover should data become damaged.Agree on the transmission and storage of data  Data can be transmitted as encrypted soft copies, in-person hard copy delivery, or both. Never exchange unencrypted soft copies of reports that reveal sensitive information. The vendor should either destroy any copies of the report that it possesses after completion of the test or store the results in a secure manner.
 If possible, set up a honeypot so that you can evaluate the capability of the testing firm. A honeypot is a nonsecured server that is used to draw attackers in to probe and exploit while you monitor and record their activity. Usually used for forensic purposes and to distract potential intruders, a honeypot server can also be used to assess the technical skill of penetration testers. These testers should be able to spot the weaknesses of the honeypot server. Numerous vendors supply prebuilt honeypot servers, including Honeywall Gateway (part of the Honeynet Project), Bait and Switch, Honeyd, Specter, NetBait, and others. |