Don’t Buy A Network Pen Test Until You Ask These Questions

When people hear of an upcoming pen test, they most commonly think of network testing. These tests can be focused against your external network (i.e. network perimeter) or your internal network (cloud environment and/or on-premises network). As these networks typically change year to year with new devices, cloud migrations, on-premises migrations, and firewall migrations, periodic testing may be necessary. This can leave you wondering how to find the right pen test provider to ensure your organization's network security posture is thoroughly assessed.

 To help determine if a provider is right for you, we've compiled a list of six questions you should ask providers before you buy a network pen test:

1. How long will the test take?

A suspiciously short timeline may indicate a scope miscommunication, or at worst, a low-quality provider. However, keep in mind that overall scope dictates engagement length, as well as the number of resources assigned.

We can’t speak for all providers, but at Schellman, we normally expect 1 week for small to medium external scopes. For internal scopes, 2 weeks is about average.

2. Will all ports be scanned?

Admittedly, this is a bit of a “gotcha” question. There may be network security devices or other network conditions which affect the result of a port scan. There are also various nuances tied to UDP scans, as due to how UDP is often implemented, it may not be possible to know if a given port is truly “open”. The best answer would be to scan as many ports as possible, and to perform confirmation scans to identify any potentially missed ports.

3. What tools does your team use?

An over-reliance on outdated tools indicates that the provider may not be routinely updating their methodology. Additionally, if a provider only mentions tools which are automated, this shows that your “pen test” will more closely resemble a vulnerability scan.

If you need a benchmark to compare against providers, reference our tool list.

4. Will your team exploit identified vulnerabilities?

Some providers may offer “pen tests” which are actually vulnerability assessments in disguise. This style of assessment does not actually attempt exploitation of identified vulnerabilities, and is indicative of an automated approach. Automated tools supplement pen tests – but they are not a replacement for them. To reiterate: lack of manual testing indicates a vulnerability assessment or vulnerability scan – not a pen test.

5. Will Active Directory (AD) be included within the assessment?

If you are looking for an internal assessment and you utilize AD, we highly recommend that you include AD as in-scope. In many environments, AD serves as the end-all-be-all for authentication and authorization. Unfortunately, AD has a number of features which can be misconfigured, ultimately allowing for lateral movement within the domain.

In order to have AD assessed, at a minimum, at least one AD user account should be provisioned for the testing team. If you do not provision this account, the team will be extremely limited in the attack scenarios they may utilize for AD. Lastly, it's important to note that some providers treat AD as a separate assessment -- but at Schellman, we believe that any internal assessment should include AD by default (if it is utilized).

6. If your team runs into a web application, what will they do?

External and internal network pen tests don’t primarily focus on web applications – that's what a web application assessment is for. On the other hand, on almost all network tests, the team will run into a web application. When this happens, the team should research any encountered web applications for known vulnerabilities and misconfigurations. At a minimum, the team should perform unauthenticated testing, such as default credential checks, directory fuzzing, DAST scanning, and some brief manual testing.  

Remember: web applications are a large attack surface, and they should be fair game for any network assessment. The only difference here is that authenticated testing should be considered out of scope. If authenticated testing is needed, consider a separate web application pen test.

Maximize the Effectiveness of your Network Pen Test

By asking the right questions about the scope of the test, tools used, and methodology employed, you can ensure that your organization's network security posture is thoroughly assessed. A comprehensive network test should include manual testing, Active Directory assessment (if applicable), and consideration of web applications as potential attack surfaces. If you’d like further assistance in the form of a pen test, Schellman is a leading provider – please fill out our brief pen test scoping questionnaire and a leader will get back to you shortly!