Your vendor should be guarding against intrusion into the systems network from the outside and conducting regular penetration testing through a qualified credible resource.
You should insure that penetration testing is being performed on any vendor who has access to or stores your consumer private information or sensitive data.
What a network penetration test involves
When a vendor runs a penetration test their goal is to identify vulnerabilities in their hardware, software and overall network.
How often should your vendor do a penetration test
While there isn’t really guidance to the appropriate frequency, we suggest once annually, at a minimum, for vendors who store sensitive data.
Examples of exceptions where an additional penetration test should be re-run include:
- There is a major application release ie: your vendor releases a brand new internet banking site
- Any web exposed software release
- Any major outbreak of a new threat in the general landscape. ie: Heartbleed
- There was an issue so a test should be re-run to show it has been corrected
The Do's and Don'ts
- Ask for an executive level summary of the penetration testing results. Test results should always be executive summary level. This should NOT include sensitive network details, such as the IP address of the machine that is affected by this particular vulnerability.
- Get on the phone if you want to inquire about additional details in the report
- If there is an issue, have the vendor explain to you what those issues are, what they intend to do to correct them, and on what timeline. Take notes.
- Respect the fact that your vendor needs to care about what they can share with you
- Ensure that your vendor has a proper vendor management policy that is actively being executed upon with controls in place for them to manage their own vendor's testing.
- Do not expect your vendor to provide you with detailed results. The natural results of a penetration test contain a list of exposures and vulnerabilities. In the wrong hands, that is dangerous stuff. Asking your vendor’s information security officer to give you the detailed list of his weaknesses further increases the odds of those vulnerabilities being exploited before they can fix them; they’re just not going to do that and shouldn’t be asked to do so. In fact, if they did release that level of detail to each client,that in itself would be alarming. Don't make a hacker’s job really easy.
- Don't expect your vendor to let you perform your own penetration test against their network - that is not reasonable for them to allow all their clients to do. Just imagine if a major core processor allowed all their clients to do penetration tests whenever they wanted, through whatever tools or providers they chose., There would be multiple daily attacks on their network, costing them time and attention to determine which attacks are real or not, resulting in a likely rise in operating costs and decrease in quality, which of course, no client really wants.
Your vendor found an issue - now what?
If you receive the high level summary from your vendor and it has some critical or high risk vulnerabilities listed on it, your vendor should be responding with "here is what we have done to fix it" or "here's what we are going to do to fix it and this is the timeline" and "here’s a new penetration test result that shows that the issue has been resolved".
Don’t discuss the issues by email – have a conversation one-on-one on the phone with your vendor and if needed, have them put people on the phone that can explain to you what those issues are. It’s less important that the results of a penetration test are clean than it is that your vendor addresses any high or moderate risk threats quickly and efficiently either with a fix or explanation as to why it has to be the way it is.
So, be sure to:
- Find out what they intend to do to correct the issues
- Determine the timeline to have the issue fixed
- Take notes, put these in your file. Create follow-up tasks like “my vendor said they will solve security issue #1 by this date and here's how they’re going to do it. I am going to follow up and request a clean or new scan to demonstrate that that vulnerability has been resolved".
- Follow up accordingly, and document your follow up as well.
Do you need to do penetration testing of the vendor’s vendors?
You don’t need to receive your vendor’s vendors penetration testing results. What you do need is make sure that YOUR vendor has a proper vendor management policy that is actively being executed upon by the vendor. The way that you know that is you
- Request a copy of their vendor management policy
- Look to their SOC report - does it tell you that their vendor management process has been tested by auditors?
Also, be sure you have a list of your vendor’s critical vendors. So, if your vendor is extremely reliant on 3 vendors – you need to know who those are and what they do for the vendor. Reason being, if you see a headline in the news about one of those three, you need to know that it could affect you and because they’re not your actual vendors you may or may not even know their names or that they could have an effect on you.
So at a bare minimum you need to know that your vendor has a good vendor management program in place which should include all the things that you’re doing for your own vendors. Just like your own vendor management program is tested by your auditors and examiners, you should be able to see that your vendor’s vendor management program is being audited and tested in some way.
A Vendor Who Get an A+
While penetration tests can be automated with tools that are basically programmed to run and look for certain things in your vendor's network, it is prudent and recommended for the vendor to go above and beyond by putting a professional ethical hacker to work to try to attempt to compromise the network outside of what that automated tool is doing.
If a vendor is doing both those things through a qualified and reputable source, they get an A+ for effort. They’re taking it seriously and you should feel really good about that. The only questions then are on the frequency, and of course, the resolution of issues identified by this testing.
If your vendor is not doing network penetration testing, you might want to put some pressure on them to implement a penetration testing policy that commits them to the types and frequency of the tests.
Be sure to get their commitment on when the first test will be conducted and (executive summary level) results made available to you. ....OR, if they won’t do that then you may want to consider asking for permission to run your own penetration test.
Now, understand it’s really not feasible for a vendor to commit to let all their clients run a pen test against their network – in fact, I would be weary of a vendor that allows you to do that over them actually committing to do their own tests. In other words, the fact that they will not commit to perform testing but will allow you to test against their network may indicate a deeper issue with your vendor.