"What we're looking for are trends," said the university security director. "It's just like you would treat an audit report. If you have repeat findings, it indicates you might have a more serious problem."
Tip 10: Decide Who Your Pen Testers Are
The decision to use in-house staff for pen-testing depends on the size of your organization, the value of the information you are trying to protect and where you want to put your internal resources. A company may have a dedicated pen testing team or a group within the security team. An internal team is in a better position to conduct regular testing. If your organization is large and distributed, create mechanisms and promote an environment in which information can be shared.
"If have internal community that can share information, make sure they have a strong knowledge base backed up by mature knowledge management systems," said Verizon's Khawaja . "You want to make sure that what happened in your Beligian unit doesn't happen in Brazil."
Even if you do some in-house testing, there are good reasons for hiring consultants to perform at least some of the work. Some regulations require external companies to perform pen tests; consider that insiders may have too much information about the target systems, as well as a vested interest in the outcome. So, beyond compliance requirements, it's a good idea to bring a fresh view from the outside periodically.
For the same reasons, if you do hire outside testing consultants, rotate among vendors, just as would with auditors every few years.
"Bringing in outside people gives an added degree of confidence in the results," said the university security director. "There's no perception of conflict of interest."--
For your internal team, look for the right blend of knowledge and curiosity.
A good training candidate, said Core's Solino, has a strong knowledge of networking and application protocols as a foundation. Mostly, he looks for curiosity and a hacker mentality.
"It's IT knowledge and that attitude, a specific mindset that denies something is secure and says, 'Go for it!'"
"This is an art," said Skoudis. "Although there are tools and methodologies, you have to be creative in finding problems in target systems and applications."