Yes, folks, that’s all you need. This process will help you prove to your management that some security processes, as well as tools, are required to protect the company.
A penetration test (pentest) is a technical assessment designed to achieve a specific goal within a defined scope, like to steal customer data, to gain domain full access, or to read/modify sensitive data. It would be similar to what an attacker would do, although, in my opinion, that would be more a Red Team. The scope of a penetration test is clearly defined and, an attacker, does not have a scope, just a goal: get data and permanent access to your systems.
Make sure the scope is clear. You do not want your production system to be done because of a pentest, so write down in the statement of work the following:
- Full list of systems included in the penetration test
- Deliverables expected: detailed report with a timeline
- System cleansing: you do not want Mimikatz available in a system, do you?
Once you have your pentest done, be sure to follow-up the recommendations, since it does not make any sense to acknowledge there are security flaws in your infrastructure and not resolve them. Also, ask for the technical steps the penetration test team followed so that you can have your security processes updated accordingly. For instance, if you cannot prevent a type of attack, make sure you have the correlations rules in place to trigger an alert whenever the attack is made.
In my opinion, a penetration test should be done every year, or every time you have a significant change in your infrastructure, like a new application or service that could have some vulnerabilities added, directly or indirectly.