Cyberattacks on businesses across the world have increased and the battle is getting tougher. You know you need a penetration test or vulnerability assessment to help mitigate risk and strengthen your overall security posture. Considering the IT skills gap, it is no surprise to be in the position to work with a managed security service provider (MSSP). But, how do you find a firm that you can trust?
We’ve put together this checklist of nine steps to help you quickly evaluate the maturity of a provider.
Does the provider provide any standardized method to collect information about your environment?
Ask the provider whether they have a documented process for the collection of your data. This easily provides insight into the maturity of the provider’s engagement process.
Does the provider schedule a kick-off call with the consultant that will be performing the work?
This is a big one. You want to know who is performing the testing of your environment. Too often senior consultants represent on the phone while juniors are performing the work behind the scenes.
Can the provider speak to the process?
Ask these questions to measure a provider’s knowledge and inform you of their maturity level.
- What assessment methodologies does the team use?
- Can you list a few of the most common tools you use?
- What are the different phases we can expect for testing?
What type of manual testing is performed?
This question alone can be enough to measure the technical maturity of the provider. Manual testing is a critical component of penetration testing. In fact, penetration testing is 99% manual, where the remaining 1% is leveraging tools for exploitation (metasploit, etc). Many tools exist that perform ‘penetration testing’ – and some firms even claim to be ‘automated’, but the reality is quality penetration testing cannot be automated.
Some activities to expect include:
- Manual exploitation of vulnerabilities (with prior authorization)
- Lateral and horizontal movement in the environment using techniques such as pass the hash
- Searching for and identifying sensitive files in exposed file shares
- Password cracking of any identified password hashes
- Limited brute force attempts using default passwords
Does the provider mention or state that they will provide regular status updates throughout the engagement?
Status updates are a standard process at established agencies. Critical issues should be immediately escalated to stakeholders and points of contact. A dedicated project manager should provide regular status reports and meetings.
Does the provider ask about a network operations center (NOC) or security operations center (SOC) that should be notified?
These groups (SOC/NOC/etc) monitor the environment for anomolies. Without the proper notification they can block or hinder testing efforts. Experienced agencies will inquire into the detection and logging technologies present within the organization. This effort ensures monitoring teams are aware of the testing and necessary precautions are in-place.
Does the provider mention anything about receiving approval before attempting penetration of identified vulnerabilities?
Mature firms will always reach out to a point of contact (or have prior authorization) before attempting to exploit a vulnerability on a live host. Anytime a vulnerability is exploited, it could impact the stability of the host and disrupt services.
Does the provider perform a closeout presentation with the consultant that performed the testing?
An established firm will always take the opportunity to perform a closeout presentation. This allows the firm to speak to the results of the assessment, add context to the issues, and highlight systemic deficiencies. The resource that performed the assessment presents the results and makes themselves available to answer questions from your stakeholders.
Does the provider provide a raw output (xlsx, etc) for uploading into downstream systems?
This shows how much manual effort has gone into the results that you are receiving. It will be immediately apparent if the provider used an automated tool and how much coverage was truly achieved.
With the integrity of your environment on the line, picking a great managed service provider means taking the time to evaluate the needs of your organization and the capabilities of the MSSP you are considering. Keep the checklist in mind when evaluating firms to perform your assessment.