By Dr. Stephen Inocencio, PhD, DSI
GDT Vice President, Security Advisory Services
In IT, penetration testing is when a 3rd party is conscripted to simulate a cyberattack against your organization. It determines where you are from a security standpoint, and where you need to be. Where are your vulnerabilities and how will they be addressed? It’s looking at your attack surface and ensuring that existing vulnerabilities are being comprehensively addressed.
You may think that it doesn’t matter who starts an “automated scan” and spits out a report, but while suppressing the rage induced by someone calling a full penetration test a scan, I can say that there are definitely some things to think about prior to outsourcing your penetration testing requirements to an offshore company, or one (1) that uses offshore resources/contractors.
What’s the Big Deal About Using an Offshore Penetration Company?
I’m sure there are some great penetration testing companies that use offshore resources, and I know there are great penetration testing companies headquartered outside the United States. The following isn’t intended to be derogatory in any way. The things that apply when deciding about hiring a penetration testing company applies here, too, regardless of where they’re headquartered. The main difference is that some of these problems may be exacerbated due to issues like, for instance, language barriers or an inability to verify background checks, certifications, etc.
The reason all this may seem so complicated and nerve-racking is due to the fact that, in the grand scheme of things, the industry is still pretty young. There are no official distinctions or certifications needed to become a penetration testing company or offer consulting or penetration testing services. So, an offshore penetration testing company may be more difficult to vet and is often based on exactly how much information they are willing to provide.
Here are some things you should consider when determining who to use for your organization’s penetration testing:
I’m not talking about just a language barrier, although that can make a lot of things more difficult. Reporting may be in a different format, or, due to cultural differences, it may be explained differently than what you are expecting. Or, the reports provided may not be presented to you by the people who actually did the testing due to time zone differences. Also, time zone differences can extend the length of the testing and delay documentation required to complete a project due to troubleshooting issues or transferring scoping information. These communications issues may not concern you as much and may even merit the lower price point, but should definitely be considered.
Difficulty vetting resources
Things like background checks, criminal records, and certification validation are all more difficult with offshore resources. You should always consider who, exactly, is doing your penetration testing. For example, what is the experience level of the test team, what certifications do they hold, and what is their level of education? Unfortunately, penetration test results are only as good as the tester who worked on the project. And while GDT always provides biographies for the engineers working on our assessment projects, many companies don’t. While there are plenty of offshore resources that are terrific penetration testers, it may be difficult to know if you’re getting an expert or a novice.
The quality of the test you’re getting
In addition to the difficulties regarding who is conducting the test, it’s also difficult to discern whether whomever did your penetration test actually did a good job. Most people engaging a third-party company to perform penetration testing are not experts themselves (although some are and just need third-party validation), so, if you receive a clean report, is that a good or bad thing? Are you really secure, or were vulnerabilities missed? So, while you may have opted for a less expensive option, there may be a ton of issues missed; it can be very hard to tell.
Giving network access to an offshore company
This is usually enough to keep most CISOs and engineers up at night. Companies do their best to protect their external and internal networks and end points, so handing out internal information and not knowing exactly who will get it, and if it will be retained or shared, is a chilling thought.
So, considering the aforementioned issues you need to consider, what should you do? Is it OK to use an offshore penetration testing company, or not? It’s important to note that GDT, due to our high standards for quality and core values that include quick and effective communications with our clients, does not utilize offshore resources for our penetration testing. But, that doesn’t mean companies that do are bad or ineffective (and, yes, they’re often cheaper). It just means that you’ve got to put a lot more time and conduct more due diligence prior to hiring them. You have to ensure you’re going to receive a thorough test, utilize a capable engineering team, and receive a high-quality product.
If you have questions about security penetration testing, contact these pro’s
To find out how to shore up your organization’s security posture, contact GDT’s tenured and talented engineers and security analysts at SOC@GDT.com. From their Security and Network Operations Centers, they manage, monitor and protect the networks of organizations of all sizes, including those for some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.