EliteSec Cyber Security Consultants, Inc.

Looking to start a penetration test for the first time? It can be daunting, that's for sure, as you may not be sure where to start! If you have a security team, they may have past experience with some vendors, or you may have some leads in your own network <cough, cough!> that you could reach out to. But if those don't work out, then good 'ol Google can come to the rescue! You'll likely find a lot of different services out there, so you may go with the top 5, ask to get some quotes, and then proceed to have a few calls for some of them to get an accurate quote. Is this a pain? Yes, but the reality of the situation is that not all software is created equal, and there may be unique challenges for your particular situation. Is it a SaaS applicaiton? Are you testing cloud infrastructure? Internal network with social engineering/phishing testing? Mobile applications? API endpoints? There are multiple factors that makes a one-size-fits-all pricing model difficult. Most firms just want a quick chat to discuss scope and review any app/APIs that you want to have tested. At EliteSec Cyber Security Consultants, Inc., we use a standard questionnaire to gather information if we don't get enough detail from a short discussion with the prospect so that we can scope the level of effort appropriately. So quote in hand, you're ready to select, right? Not yet. At least you shouldn't pull the trigger yet. Have you asked about their process? Do you know what the final report will look like? Do they have a sample to share with you? Does the sample reflect the type of testing you need? Remember, you may be paying for a penetration test, but it's the final report that's the tangible deliverable you're going to get, so is it worth it? Some things to look for in a "good" report: - Is there an executive summary that outlines the risk to the company based on the results? - Are there sufficient technical details for technical staff to verify and replicate findings? - Are there recommendations on remediation steps for findings? - Is there a justifiable severity rating associated with the findings, or are these subjective based on the testers intuition without justification? - Any additional resources for findings? - Any recommendations on what should be addressed first versus what can wait? These are just some highlights to be aware of and look out for, but the point is that there is more to a successful pentest provider than just cost. Quality matters. Be honest with the companies you reach out to. If you have a fixed budget, let them know. Some firms can adjust pricing if competing firms are cheaper, but only to a point. There comes a point where the effort isn't worth the price, as there are costs involved for the testers as well. There are many more factors for sure, but hopefully this is a good starting point of things to consider if you're looking for someone to do a penetration test for your company.

How can we trust you? This is a question I had from a prospect last year that wanted to have a penetration test done for their organization. It was surprisingly the first time I've had such a question, but it's a fair one that surprisingly not everyone thinks of, but they should. In #cybersecurity, we often talk about 3rd party risk and risk assessments, so why shouldn't the same process be used with your pentesting partner? It absolutely should. This question came up recently in a slightly different context, but the answer is the same, so I felt this would make a great post. So, why should you trust your pentest partner? Not to knock pentesting firms from other countries, or those with a global presence, but from the perspective of a North American customer, there are a few reasons to "trust" a pentesting company, such as EliteSec, to not sell of secrets to a 3rd party for financial gain: 1. We have a contractual agreement, and normally also an NDA in place. If this can be traced back (and let's be honest, it wouldn't be hard to draw the connections), then there is legal recourse for the client. 2. We are a fully insured corporation, lending more credibility to our org. Incorporation is not enough, and we can provide evidence of coverage if necessary, but on a case-by-case basis. 3. We maintain a number of certifications that have ethics clauses in them. While not foolproof, we do not want to risk these certifications and take them quite seriously. 4. It's really bad for business. If this was ever accused, let alone proven, it would be devastating to our business. Not to mention it goes against the reason on why I started EliteSec in the first place, namely to help companies secure their own businesses so they can prosper without fear of a malicious actor causing irreputable harm. 5. The law is on your side. CFAA in the US, or Sections 342.1 and 430(1.1) in the Canadian Criminal Code. If something like this did occur, these laws would come down hard, and rightly so, provided the accusations are true. This just isn't worth it. Is this enough? What other information would you look for? I'd love to hear what would be considered an acceptable answer by you, or if this is even a concern that you have.

I post a lot about #cybersecurity, specifically #penetrationtesting, but did you know that we also offer gamified #tabletop exercises? These are scenario-based exercises for organizations to practice dealing with a disaster, such as a ransomware outbreak, shutdown due to weather (blizzard, etc.) or major outage in a data center. Think of it as a fire drill for a disaster recovery plan. I came up with the idea for adding a gamified element to the traditional tabletop exercise to make it more fun and relatable, (h/t to the fine folks @Axonify for the idea), and now I'm proud to announce that I am writing a book on building gamified tabletops! I'm still very early in the process, but I am hoping to bring my experience in building and running gamified tabletops for the past few years to a wider audience. Personally I feel that documentation on tabletop design isn't really available outside of snippets in some books and random blog articles around the internet. That and I know nobody does it quite like I do. :-) If you are looking to test your disaster recovery plans to maintain your #SOC2 or #ISO27001 compliance, and you're looking for something more engaging, by all means let me know. We can go through a quick discussion on how gamified tabletops are different and how we can help prepare your own organization for the unexpected.

Why do companies seek a penetration test? In my experience, it normally boils down to 3 reasons: 1. They're trying to adhere to a compliance requirement such as PCI-DSS, ISO27001, SOC2, CIS Controls, etc. 2. They have customers requesting/demanding a report. 3. They want peace of mind. Penetration testing is one of those things that can make a significant impact to the security of your business network and/or product, but it's often overlooked due to the "mystery" behind what's involved. At EliteSec Cyber Security Consultants, Inc., we do a lot of SaaS and web-based penetration testing. Our methodology revolves around the OWASP® Foundation's Web Security Testing Guide (https://lnkd.in/gnh4NQs7) to ensure we're using an industry standard set of checks. There isn't much mystery in what we're doing during our testing, and we always ensure our customers understand any findings, including detailed steps to reproduce each finding, as well as remediation options to repair any findings. We can speak with developers, and provide risk ratings based on tailored CVSS scores for each finding. The goal of a penetration test isn't to get a "high score" for the penetration testers, nor should it be a piece of paper to get a compliance stamp for the client. It should be a realistic view of the risk for the project under scope in terms of what harm a malicious actor could cause for a company if exploited. Clearly there are other benefits, but from a penetration testing vendor's perspective, they shouldn't be the only focus. When selecting a vendor to perform penetration testing, be sure to pick someone who you can trust and who has your best interests in mind. Spending time trying to fix a low-risk issue because someone marked it as critical without telling you why doesn't help anyone. All the compliance in the world won't help if you have exploitable vulnerabilities in your company's infrastructure/product, because malicious actors don't care what the auditors signed off on.