Penetration Testing as an Offer: Why Should MSPs Conduct Security Testing?

Penetration Testing for MSPs

If you’re a managed service provider (MSP), your clients might ask your company to conduct penetration testing. Should you be ready to do so? And why is providing penetration testing in the best interests of an MSP? Let's take a look.

What is Penetration Testing?

People sometimes call it pentesting. But obviously, it’s not about taking a Bic and seeing if it still has ink in it. Pentesting is when an authorized party attempts to penetrate your client’s network as if they were a cyber attacker. That usually involves not only trying to penetrate your client’s network through the internet or other networks, but also often through human beings (social engineering), web application pentesting, and through your client’s physical buildings. A thorough pentest will involve testing each of the many different ways that cyber attackers could try to access the data that your client wants to protect.

A penetration test without specific legal authorization from the people who have the right to grant it is just a cyber attack, and therefore it’s probably illegal. A detailed and legally binding contract that includes the terms of the pentest is an absolute requirement. That being said, under usual circumstances most employees and contractors shouldn’t be made aware that the pentesting is taking place. After all, how can you properly test for vulnerabilities if everyone knows what’s coming?

How Does Providing Penetration Testing Benefit MSPs?

The most successful MSPs are also penetration testing service providers. It’s your responsibility to keep your clients’ networks and computers safe from cyber attacks, and you’ll be a lot more effective at doing so if you know what their vulnerabilities are so you can harden against them. Also, your MSP business will benefit from having a positive reputation. A key component of building that reputation is to be better at protecting your clients from cyber attacks than your competitors.

Network pentesting will help your MSP business to create an effective business continuity plan for your clients. You’ll have a much better idea of which ongoing services you’ll need to provide for them, and you’ll have verifiable data to back it up. That will help you to sell to your clients everything they need that you can offer them. Do the SIEM correlation rules need to be tweaked? Do they need more cameras to be monitored in their office?

Your business and your client will know for sure if you do a proper penetration test. And as your client’s networks change and evolve over the years, and as the threat landscape does the same, you’ll need to provide more network pentesting services in the future. A lucrative MSP knows how to offer their clients what they need for the years ahead.

Types of Pentesting Services

There are different types of pentesting services that you can provide to your clients. Some clients may need all of them, while others may only need some of them. Be aware of what your client requires as you compile your network pentesting checklist.

Vulnerability Scanning

Depending on the industry that your client is in, they may require network vulnerability scanning for the sake of regulatory compliance. Even if it’s not a compliance need, vulnerability scanning can help your client to learn how to improve their security. Security penetration testing tools include:

  • Metasploit Pro - It is the commercial version of Rapid7’s Metasploit family of network vulnerability scanning software. One of the most popular vulnerability scanners on the market, it includes features like automated scans and dynamic infiltration capabilities.
  • Nessus Professional - Tenable’s Nessus Professional is another popular commercial vulnerability scanning suite. It’s known for its easy to use interface and its comprehensive detection features.

Infrastructure Pentesting

This area includes internal, external, and wireless network pentesting. The point at which you execute your pentests will affect which vulnerabilities you discover. Infrastructure pentesting can differ depending upon how you access the network, but the same tools can sometimes be used to do all three. Security penetration testing tools include:

  • Wireshark - A network protocol analyzer that can be deployed to discover externally visible IP addresses, to conduct network device fingerprinting, and to see which TCP/IP ports are open and how they’re configured.
  • Aircrack - A tool used exclusively to test wireless networks.

Application Pentesting

Many clients also need to have their applications tested for vulnerabilities, and this includes both web apps and applications that run on operating systems. Security penetration testing tools include:

  • W3af - A popular open source web application vulnerability scanner that’s written in python. SQL injection and cross-site scripting vulnerabilities are just two of the many threats that can be detected.
  • Wapiti - A web application vulnerability scanner with a “black box” approach, meaning that rather than scanning web application code, it looks for scripts and forms where it can maliciously inject data.

User Testing

This is one of the main reasons why most employees shouldn’t be informed when pentests are conducted. Here’s your opportunity to test for social engineering vulnerabilities by trying to fool your client’s staff into revealing sensitive information or providing unauthorized access. This can be done online, via email, over the phone, and also in person.

If your client’s employees regularly receive security awareness training, they will be less likely to succumb to social engineering attacks. Training should be provided often so that awareness is fresh in their minds, and teaching workers about social engineering can make a huge difference.

Pentesting Certifications

If your MSP’s employees have certain industry certifications, it may help to assure your clients that they’re qualified to perform penetration testing services. The following certifications should be seriously considered:

  • EC-Council’s Certified Ethical Hacker (CEH)
  • Offensive Security Certified Professional (OSCP)
  • Global Information Assurance Certification Penetration Tester (GIAC’s GPEN)
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

Conclusion

By being ready to offer penetration testing services and products, your MSP can help to make your clients’ networks as secure as they can possibly be. You’ll also have data which specifically applies to your client’s network that you can use to sell them the custom cybersecurity services that they need.