It's up to you – which option(s) will you choose to test your security? If any area has a diversity of terminology, it is the world of security. What's more, all these terms are used interchangeably and overlap one another. And on top of that, there are mountains of standards to choose from and different types of certifications that can tell you something about the quality of the party doing the work for you. So where should you start if you want to scrutinise the security of your organisation?
Don't choose a type of test, work out what your requirements are
Even if you know exactly what a vulnerability assessment ought to involve, it may be that different parties are using the term in a different way. For one, it means performing a thorough-going investigation in accordance with high standards, with all vulnerabilities being identified. For another, a vulnerability assessment is merely an automated scan. The term penetration test (or pen test) is often used as a generic term, whereas this type of test is actually rather specific and far-reaching and will definitely not be an appropriate choice for every organisation.
So when deciding what your organisation needs, don't just go for a name but instead consider the purpose of your test. Also look at what type of data you want to protect against which type of attacker. And evaluate the existing level of knowledge about security within your organisation. It's all very well to let a red team loose on your systems, but if you never do anything proactive on security, you'll be better off starting with a baseline assessment to get an idea of the overall picture.
Don't get hung up on existing standards
There are various standards and guidelines, including OWASP and NCSC. You can obtain a huge amount of useful information from them, which will definitely help you get a sense of what to look out for. Do be aware, however, that these standards are still fairly general and often include not just technical but also policy matters. A pitfall when working to a standard is that meeting the standard becomes an end in itself. You can then easily miss things which are important for your specific situation.
So look at it from the perspective of your own organisation and start by deciding what the most important data is you want to protect. This is different for every organisation, for a developer for instance, source code is also often among the crown jewels. From this point look at which level you want to protect things at, and also take into account legislation and regulations which you in any event need to comply with.
Find a reputable partner
This sounds easy, but if you are really critical you know how hard it is to be sure that those doing the testing are really delivering quality. For example, ISO certification may tell you something about how the company in question has thought about the processes around data security, but you still have no idea how high their standards are.
The same goes for staff certification – because there are no training programmes or certifications that guarantee a particular level of knowledge. This is also a challenge because cyber security is a very dynamic domain. For instance, CEH certification really does tell you something about the amount of effort an employer has put into certifying its staff, but not about the practical knowledge of its specialists. OSCP, by contrast is a more hands-on certification, but it is more focused on networks than on applications. You only really gain a proper working knowledge of this area by being active in the field and working on it full-time.
But how do you know if you've found a good fit? References and experience! Check how long a firm and its employees have been active in cyber security, what type of services they supply and which customers they work for. See if you can find public reference cases about the company you are planning to work with, or ask whether you can approach customers for a reference. This is the only thing that can really give you a realistic picture of their quality.
Devote an appropriate amount of time, attention and budget to security
It may not be what you want to hear, but security is not something you can simply tick off and delegate responsibility for to a third party. You will need to think carefully about the subject yourself in the context of your organisation. Depending on the amount of knowledge you do or don't have yourself, you will also need external support. The job of security is never done – it is an ongoing process and, in view of the growing challenges, one which you will only have to put more time, money and energy into in the future.
Have I triggered you to take another critical look at how your organisation goes about things, or are you keen to get to grips with security and could you use some help? Then contact our hackers through hackers@computest.nl and we will be pleased to be of assistance.