There are two ways to establish if your IT infrastructure is secure enough. The bad option is to wait until your organization gets hacked; a better option is to work with a professional penetration testing company.

A penetration testing company will use techniques similar to those used by cybercriminals to search for - and then attempt to safely exploit - vulnerabilities in your infrastructure. It will then provide a report highlighting any security problems that it discovers.

However, a pentest is only as good as the person carrying out the test, and it's only of value if the penetration tester looks at the right things and reports back to you in a way that's useful.

So how do you choose a penetration testing company?

Establish Penetration Testing Company's Qualifications

"Lots of IT service companies will say that they can carry out penetration tests for you, but you need to find a credible company that is qualified to deliver them," said Pravesh Kara, a managing consultant at pentesting specialist Perspective Risk.

It's vital to look for a company with specialist penetration testers, and to establish the penetration testing qualifications of the person or people who will conduct the test. There are many good qualifications to look out for, including CHECK team leader, Offensive Security Certified Professional and Mile2 Certified Penetration Testing Consultant or Certified Ethical Hacker.

Testimonials or references from customers are also useful to help you establish a penetration testing company's credentials.

Scope the Penetration Test

Scoping the penetration test will often be defined by your motivation for getting a pentest in the first place. "There is always a driver for a penetration test, and often that is a regulatory requirement or something required by a customer. In that case, the driver defines the scope," Kara said.

For example, if you handle customer credit card information the Payment Card Industry Data Security Standard (PCI DSS) has a method for testing, so the scope can be defined from that.

But you may decide it is wise to have a penetration test carried out for less well-defined reasons. For instance, perhaps you have acquired another company and taken on responsibility for a pre-existing IT infrastructure. "In that case a good penetration testing firm should be able to help you scope a test," says Mike McLaughlin, a senior penetration tester at First Base Technologies, a penetration testing company.

"Alternatively, you should be able say 'Here's my budget, tell me how you can use that best'," he said.

Should You Look at Social Engineering?

One important consideration is whether you want to restrict your penetration test to the technical testing of your IT systems, or whether you want the test to include social engineering and phishing attacks to test your "human firewall."

"Phishing is an absolutely massive problem, so you should absolutely consider it," advised McLaughlin. "We are getting lots of security engagements where we do a phishing attack and then go in and do security awareness training. This should be high on your list of requirements."

Establish Expectations for Pentest Report

Finding someone with the suitable qualifications to carry out a penetration test and ensuring that the scope of the test meets your needs are two key requirements, but don't underestimate the importance of the deliverable at the end of the process: the penetration testing service's report. A penetration test is only valuable if it provides information that can help you improve your security, so the quality of the report is essential.

"At the very least, you should expect a description of every vulnerability discovered and information on how to fix each one," McLaughlin said. "Some firms will also provide a 'management report' of one or two paragraphs of non-technical speak outlining the problems and the risks to the business."

These can help non-technical senior executives appreciate the seriousness of some security vulnerabilities and understand why resources need to be made available to fix them, he said.

Make Penetration Testing a Regular Event

A penetration test report is only a snapshot of your IT infrastructure at a single point in time, and it can become out of date very quickly. That means that a penetration test should be a regular event rather than a one-off exercise.

"You should have a pen test at least annually, but the frequency should be decided as an output of a risk assessment," said Perspective Risk's Pravesh Kara. "If you have a sensitive system and you make a change, you should test it to ensure that there are no low-hanging fruit."

In fact, it is possible to check for very obvious security vulnerabilities yourself using vulnerability scanners and automated penetration testing tools, but these should not be seen as a replacement for a full blown penetration test carried out by a skilled tester. Automated penetration testing tools won't find less obvious vulnerabilities that require a degree of creativity to exploit.

Another issue with testing your own infrastructure, explained Gartner analyst John Pescatore: "There is an issue when internal people test things, because they fall into a pattern of testing and tend not to find paths through less valuable assets."

Penetration Testing Pitfall

This highlights a potential problem with penetration testing companies, too. If you stick with the same penetration testing service for too long, its staff could also fall into "a pattern of testing," as Pescatore puts it. If that happens, they may fail to spot problems which may be more obvious to a fresh pair of eyes.

So should you change your penetration testing company regularly? "A decent pen testing provider will have enough testers to rotate so you can use a different consultant each time for a few years before changing a company," Kara said.

But First Base Technologies' McLaughlin is not so sure that is necessary. "A degree of familiarity with your systems can help, because we are trying to simulate cyber attacks, and criminals won't go in blind," he said. "Cycling suppliers can be a good thing, but if a tester knows your systems then that can keep the cost of the test down, and it can help them focus their energy."

Should You Keep Staff in the Pentest Loop?

An important thing you need to decide before a penetration test is whether to let your security and other IT staff know when the test is scheduled.

"If we are doing a check-box test and have administrative access to servers, then everyone should be aware," McLaughlin said. "But if we are simulating an unexpected attack - a so called 'red team exercise' - then you wouldn't let your staff know so you can see how they react."

Minimizing Penetration Test Disruptions

One worry that you may have is that a penetration test could lead to disruption, crashed servers or denial of service for employees or even customers. It's a possibility, Kara said, but worries are probably overblown. "It rarely happens, and we try to do tests without affecting the production environment, but by its nature a pen test is probing the unknown and it can have unknown effects."

This risk can largely be mitigated by good communication, McLaughlin said. "Our tester is always in contact with the client, so if we notice that a server is slowing down we would notify the client, and vice versa."

Penetration Test Pricing

One final thing to mention is penetration test pricing. Both Kara and McLaughlin recommend getting at least three quotes for pentests that are clearly scoped, so you know what you are paying for.

Like many things in life, don't forget that when it comes to penetration testing companies, you often get what you pay for. Going for the lowest cost option with a tester who is under qualified or inexperienced is unlikely to lead to the best outcome.

What to Ask a Potential Penetration Testing Company

Summing it all up, here are 13 questions to ask when evaluating a penetration testing service:

  • What industry certifications does the company have?
  • How many penetration testers does it employ?
  • Which named individual(s) will carry out the penetration testing?
  • What professional qualifications and certifications do they have?
  • How experienced are they?
  • What assistance can the penetration testing company provide in scoping the tests?
  • Does it offer social engineering and phishing testing?
  • Can it follow these up with security awareness/anti-phishing training?
  • How would it carry out a penetration test, and to what time scale?
  • What will the test cost, and in what circumstances might the final cost increase?
  • What steps do penetration testers take to minimize possible effects on your business?
  • What reports and recommendations will be provided after the test, and how much detail will they include?
  • Can the penetration testing company provide testimonials or references from other customers?

Short List of Penetration Testing Companies

Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.