Penetration Testing is the process where we think like a cyber attacker using their tools and methods to identify vulnerabilities in your systems, network, servers, websites, webapps, office and so forth. This allows the company we are penetration testing to resolve the vulnerabilities so those vulnerabilities are no longer vulnerable for the hackers. So, how much should you share with a Penetration Testing company?
Some people think to make it fair a Penetration Testing company should have as little information as possible so that it is the same information that a cyber attacker would have. This is great if you want to compare a Penetration Testing company against a Cyber attacker, but ultimately you want the Penetration Tester to find as many vulnerabilities as possible. So any advantage or extra information you can provide to the Penetration Tester increases the chances of them finding more vulnerabilities which allows you to resolve them and be more protected. We don’t want to be fair with the Cyber Attacker. We want them to be at a significant disadvantage while maximising your cyber security.
The other concern we hear is that the Penetration Tester may identify vulnerabilities that provide elevated access to systems. the penetration tester may potentially use that access for malicious purposes. For this reason, where possible, we recommend providing access to a non-production environment. A non production environment is the same, or very similar, in setup and code to the production environment but it doesn’t contain sensitive information. In the cases where this is not possible we can, and have, performed Penetration Testing on production environments.
Either way a vulnerability found would apply to all environments so a malicious penetration tester could use that information to potentially impact or gain access to production data anyway. This is why all employees of Vertex have to go through multiple background, personality, personal values and security checks before being hired.
That said, at the end of the day you still need to trust someone to help test your cyber security, so picking the right company is important. This is why you should make sure you only use a CREST approved company that have proven their trust with years of services.
Vertex Cyber Security is CREST approved and for more than 8years has provided Penetration Testing to many companies from Top100 ASX to SMBs to startups. Contact Vertex for your next Penetration Test.