Does the penetration testing team have experience with prior penetration tests?
Has the penetration testing team performed a penetration test against a similarly sized organization before?
Does the penetration testing team have experience with the types of systems and platforms being used by the company?
Does the penetration testing team have experience with network-layer testing (networking systems and configuration)?
Does the penetration testing team have experience with performing application layer testing, and is it familiar with Open Web Application Security Project (OWASP) Top 10 validation techniques? (OWASP Top 10 is the top ten methods hackers are using to exploit web applications.)
How often a pentest should be performed
There is no concrete answer to how frequently you should perform a penetration test; however, it’s best to perform a pentest annually and after any major change to the infrastructure.
Standards such as the PCI DSS state that in order to be compliant, organizations should perform external testing once a year, plus after making any major changes to the network infrastructure or application environments. The PCI DSS also states that you should perform internal testing once a year and after any major changes.
Regular schedule
If your organization is not governed by regulations that dictate when you need to perform a penetration test, you can create your own schedule that works for you. Hiring an external team of penetration testers can be expensive, so one option may be to create a schedule that uses internal staff to test internal and external assets more frequently than an external company. For example, a schedule could look like this:
Every 12 months: Penetration testing of internal assets is performed by internal staff.
Every 12 months: Penetration testing of external assets is performed by internal staff.
Every 24 months: Penetration testing of internal and external assets is performed by a third-party company.
After major changes
You should also perform a penetration test after making any major changes to the network infrastructure or application environments, such as upgrades to software. Some examples of infrastructure changes could be adding a new server to the network, replacing a server with a new server, or adding a new network segment. These changes could introduce new ways for hackers to get into the network, so you want to make sure you perform a penetration test to verify all is secure.
In addition, any changes to the software configuration, such as a piece of software being upgraded, should result in a penetration test of that component so that you can verify there are no vulnerabilities in the new software.
Other considerations
A few additional considerations should be taken into account when discussing when a penetration test should occur. For example, one of the risks of a penetration test is that you could end up crashing a system or network. So, to ensure your pentests are successful in providing you with the information you want, you want to make sure you follow these recommendations when possible:
Perform pentests in a mockup environment. When performing penetration testing, you run the risk of crashing systems or networks due to the nature of the attacks. If possible, create copies of systems inside a test environment and perform the penetration test on the test system. It is critical that the test systems are an exact copy so that the penetration test accurately reflects the test of the real system.
Perform pentests before deploying the system or application into production. If possible, before a system or application is put into production, perform a penetration test on that component before it goes live. This will help reduce the cost of maintaining the system, as it is more costly to fix security issues once the system or application is in production.
Perform pentests on a regular basis. Penetration testing is not a one-time thing. It is something that should be performed on a regular basis and after any major changes are made to the environment. For example, if you perform a security test on a web server before it is put in production and you find it is ready for production because all simulated attacks were unsuccessful, it does not mean you do not need to test this system again. You will test the system again during the next annual penetration test.
Defining Penetration Testing Terminology
In addition to understanding what a penetration test is, who should perform the test, and how frequently the tests should be performed, let’s take a look at some other penetration testing terminology you need to be familiar with for the CompTIA PenTest+ certification exam.
Types of assessments
The CompTIA PenTest+ certification objectives reference some key terms in regard to the different types of assessments that can be performed. The following are some common types of pentest assessments:
Goals-based/objectives-based: This type of assessment is focused on a specific purpose. For example, you may have installed a new server or piece of software and want to test that specific asset for security flaws. Some examples of goals for goal-based assessments is the company may want to assess the security of only the wireless network, or maybe only perform social engineering attacks to test the effectiveness of the security education program with the employees. Another common goal may be simply to test the security of a public web site or web application.
Compliance-based: A compliance-based assessment is an assessment that is driven by standards and regulations. With compliance-based assessments, you must follow a standard assessment methodology such as the National Institute of Standards and Technology’s (NIST’s) SP800-15 series of guidelines or the PCI DSS from the PCI Security Standards Council.
Red team/blue team: The term red team refers to the internal team of professionals performing a penetration test acting as hackers. With a red team test you are not as focused on reporting and remediation steps after the fact; you are more focused on trying to bypass security controls and determining how your security team will respond to the attack. The security team responsible for defending against attacks is known as the blue team.
Pentest
