Last summer my daughter came home for a week, and I asked her what she wanted to do while she was home. She said she wanted to go walleye fishing for a couple days. Because of her short stay and my busy schedule, I wanted to make sure that whatever we did was low maintenance and, most importantly, that we would catch fish!
I remembered seeing photos a friend of mine posted of a recent fishing trip. He gave a glowing recommendation for an all-inclusive resort with good food, clean cabins and boats, and plenty of walleye. He added that I should request “Nick” to be our guide. Nick had been fishing the lake for many years and regularly had the most success. I could have saved a couple bucks going elsewhere, but I felt that this resort offered exactly what I was looking for and offered greater value, so I booked the trip.
On our last day, Nick was our guide. We caught plenty of fish for shore lunch threw several back because they were either too small or too big (“in the slot”). With 10 minutes remaining, we were one fish short of our possession limit. As the other guides in the area started heading back to docks, Nick instructed us to reel up. We would try one last drift over his favorite end-of-the-day spot to try to land a big one.
Sure enough, on that last drift my wife Laura landed a 28½ inch monster. We were all very excited that we had a perfect day of fishing, capped off with landing a trophy walleye. We took a few pictures and then released it to be caught again another day.
Later that evening, we were speaking to other guests and although everyone seemed to have had a nice time, it was clear that no other boat had the success that we did; and Laura’s fish was the largest caught that entire week.
All the guides were using the same style boat and equipped with the same depth finders. All fished on the same lake and used the same bait. Why did our boat have greater success than the others? Our guide knew the lake the best. He knew where to find the walleyes. So, what does that have to do with penetration testing? Everything.
Just like fishing guides, all penetration testers are not equal. Skilled penetration testers think like a hacker and go to spots that are most likely to yield success---a compromise of your network. When evaluating penetration testers, you should not just ask what tools and equipment will be used. You should also ask about what tactics will be tried and about the experience of your “guide.” Here are some other questions you should ask penetration testing vendors to separate the wheat from the chaff:
• How does your penetration test differ from a vulnerability scan?
• What is your plan to identify likely targets?
• How will you create your plan of attack?
• If the original attack plan doesn’t work, how will you determine what to try next?
• How much time will you be dedicating to the attack?
• Can you provide specific examples of how you have been able to compromise security at other organizations?
• What type of evidence will be provided of a successful attack?
• Will you be providing actionable recommendations to fix any problems discovered?
• What is the experience and credentials of the person that will be doing the work?
If you don’t ask these questions up front, you very well may just be getting a basic security scan or someone with limited experience. This is equivalent to fishing off the dock. That may be fine if the goal is to simply “check a box” for compliance purposes. But if you want to simulate a real-world attack to see how well your company is protected, hire Wipfli to do your next penetration test. We will put you on the fish!
To learn more, view our recorded webinar titled “To Catch a Thief” presented by Travis Kaun, Wipfli Senior Consultant.