Service provider takeaway: Penetration testing services can prove to be profitable for security services providers and resellers. Learn about the different kinds of pen tests and how to offer pen testing services.
Security folks hate surprises. The last thing we want to learn is that a customer's security defenses aren't very good and a reasonably talented bad guy has taken down an application or stolen sensitive data. So how do you eliminate these surprises? You need to encourage customers to test their environments pretty much like a hacker does -- and do it regularly. Offering penetration testing services is a great and profitable opportunity for value-added resellers (VARs).
If a customer pushes back at all about this, remind them that attackers are testing the customer's defenses daily. Just show them the firewall logs to prove your point. Furthermore, bad guys don't follow a code of ethics. They use any means possible to break into computer networks. Your customer should use those same techniques to determine whether hackers will be successful on their network.
There are multiple ways to offer penetration testing services. Many VARs already provide some level of vulnerability scanning. While this is a good start, vulnerability scans only provide information about what is theoretically vulnerable, not necessarily what is exposed. As we tend to think about security from the perspective of layers, we also need to think about how to layer pen tests to provide a comprehensive offering to customers.
Here are four distinct pen testing service offerings you can provide customers to ensure they have full coverage.
- Vulnerability scanning: This is a straightforward opportunity and a mature offering. The biggest question you'll face is whether to resell a service offering (like that from Qualys) or to buy a tool and use it internally to scan your customer's networks and systems. Scanning is one of the requirements for nearly every regulation, so this is an easy step along the path to security assurance, since all of your regulated customers need to scan.
- Infrastructure pen testing: This offering involves a tool that uses live exploits, like Metasploit or Core Impact. You'll use live ammunition, so orchestrate these tests with the client to ensure the minimum amount of disruption. You should test all externally visible IP addresses -- that's what the bad guys out there can see and are likely trying to penetrate. You may also want to see what you can find if you attach to a conference room network, one of the softest parts of a customer's defenses.
- Application pen testing: Trying to break into applications is probably the most important step nowadays, given that so many attacks directly target applications. You can use a Web application scanner (HP's WebInspect, IBM's AppScan), but you should also invest in some people that know how to exploit application logic errors. There's no substitute for a skilled application tester to determine what's broken in an application. Once the initial application is compromised, go directly after the database, where the valuable stuff is. If you can get into the database, the customer is owned. It's much better for you to figure this out than a malicious hacker.
- User testing: This is actually the most fun task for penetration testers. You get to see how gullible most users are. This type of testing can involve emailing fake messages to customer service reps, trying to talk your way into the facility (past security or the receptionist) or even dropping thumb drives in the parking lot to see who will plug them into their machines. Many folks are against social-engineering end users, but not me. Remember, malicious hackers don't have a set of rules. They use social engineering because it works. Don't let social engineering surprise your customer and catch them off-guard.
Offering penetration testing services is a real learning experience for everyone involved. Your testers learn what works and what doesn't and how to adapt to the defenses of the customer. Your customer learns what they've done that is less than effective and usually gets a new appreciation for how vulnerable they really are. And you, as the VAR, get to help pick up the pieces and build a tight long-term relationship with your customer.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.