Do you pentest against PCI DSS? Do you test for OWASP Top 10? Are Berezha Security reports ISO27001 compliant? These are just a few stunning questions we often hear from our future customers. Although they often sound naive, we have to elaborate on these questions. Otherwise, if our clients know as much as we do, why would they need us? So, in this post, we share some of the frequent customer questions from our presale experience. How many of them are also on your list?
“What methodologies and best practices will you use during the penetration test?”
We touched on this topic in our recent post about different security services. In short — a penetration test copies the attacker’s behavior and shows the customer how the real attacks happen. The pentest demonstrates the vulnerabilities exposed to malicious hackers and what tools they will use to exploit them. With this knowledge, the customer can fix the vulnerabilities before the attacks happen.
Asking about the penetration testing best practices is similar to asking about best practices in hacking attacks. There is plenty of hacker tricks an attacker could use, and the more experienced they are — the thicker it will get. Unfortunately, there is no best practice approach to staying up to date with the hackers as the game is changing too fast. Luckily, we manage to keep our bag of tricks in line with its pace.
“Can you guarantee that the penetration test will do no harm?”
It is quite hard to try to break into something and not break something along the way. Of course, the pentest goal is to improve security and not to ruin the operations. And the rule of thumb for vulnerability demo is Proof of Concept and not real business impact. However, the work’s nature does not guarantee anything because we cannot be sure how fragile the client’s systems are.
To entirely avoid a production impact, we always advise pentesting a copy of the production environment. There are limitations in this approach, as some differences between the production, stage, and test environments are inevitable. However, it is always worth having such segregated environments for other reasons.
And, of course, we have professional liability insurance just in case our error causes any losses. Which never happened to date.
“Show me the sensitive data as proof.”
Imagine a vulnerability is a door that had to be locked, but we found a way to get behind it. The best proof that we got in is showing you something visible only from behind the door. Secret or not, what we show you must convince you to change the lock. Even if, at the time, there was nothing valuable inside. So why would you want a screenshot of the CEO’s email inbox from us? Wouldn’t a screenshot of our successful logon to his laptop be enough?
By going easy, we minimize the negative impact. We know people love WOW effects, and we collect as much evidence as we need for it in front of a security-conscious audience. However, let us send you an excellent pentest report instead of leaving a bunch of files on your disk. That is what malicious hackers do, and instead of advice on how to fix your issues, you usually find a Bitcoin address there.
We at Berezha Security do have some more questions like this, and maybe this post is just the beginning of a series. Stay tuned and take care.