Your boss has tapped you to brief them on whether your company should hire an outside company to perform penetration tests. While feeling a little faint, the first question you should ask yourself are; ‘what types of pen-test methods are there and what types of access to my companies data assets do this test provide?’
There are three types of penetration test methods: Black Box, White Box and Grey Box.
Black Box methods are “blind.” Meaning that the pen testers do not have access to the “network configurations and must investigate the organizations information infrastructure from scratch.” This also means that the pen tester doesn’t have access to employee names at various levels, IP addresses, user ID’s, phone numbers, email addresses or any data that would provide inside information.
“White Box” method, also referred to as a “Full Disclosure Test” which allows the pen tester to have access to the company’s network configurations which allows for faster testing. White Box tests are normally used when examining a specific network.
Grey Box methods are a combination of both Black and White box test, that includes limited access to other network configurations (Whitman & Mattord, p. 666).
Cost
Besides the type of pen test a company needs, a company should understand before hiring a pen testing company that pen testing is costly and can be time consuming, specifically if the Black Box testing method is used. Byron Bort (2018) a contributor to “Grimm.com” stated that “Costs to hire an outside company can go as high as $10,000.00, while the average cost of a data breach exceeds $3.5 million, according to The Ponemon Institute.”
Security
Ensure the company has certified IT personnel that have up to date background checks as well as certifications from the Assurance Certification Review Board (IACRB) known as the Certified Penetration Tester (CPT) certification, or possess the CEH, GPEN, OSCP, OSCE or the SANS GXPN.
Ensure that the company follows industry-accepted pen testing standards and methodology.
Data Security. According to Redport Information Assurance’s Director of Cybersecurity Operations, Sue Gonzalez, “You must understand what type of pen testing method will be used, how your company’s data will be transmitted, stored and the final method of disposal.” The Statement of Work (SOW) and the Scope of Work should contain this information. Is the company insured, and find out if there had been any complaints or violations? Make sure the company has liability insurance.

By Dr. Randall Sylvertooth


Sources
Whitman. M.E & Mattord H.J. (2018). Pg. 666, Principles of Information Security. Sixth Edition. Cengage Learning 20 Channel Center Street, Boston, MA 02210 USA.
Bort.B. (2018 January 18) “Understanding the Real Cost of Pen Testing, Red Teaming and Blue Teaming” Byron Bort featured on grimm.com [blog post]. Retrieved from https://blog.grimm-co.com/post/understanding-the-real-cost-of-pen-testing--red-teaming-and-blue-teaming/

For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.

Gaithersburg, MD, USA