Penetration testing aims to uncover potential security vulnerabilities which could in turn lead to a cyber security breach, enabling remediation of issues to be undertaken before they are exploited by a real intruder. Here in this pen testing guide we answer the most common questions about penetration testing:
What does ‘pen test’ stand for?
Pen test stands for penetration testing.
What is penetration testing?
A penetration test is a methodology for evaluating the effectiveness of an organisation’s cyber security controls.
Testing is undertaken in a controlled environment to identify security flaws. Simulated attacks are performed on a network, just as if it’s a real cyber attacker attempting to find security gaps.
What are the goals of pen testing?
The goal of penetration testing is to verify the effectiveness of a network’s existing security measures. However penetration testing is more advanced than basic vulnerability scanning. It identifies how a cyber attacker would breach a network and how they would then gain access to sensitive information such as client/staff data, financial data or even research findings.
What gets tested?
Pen testers attempt to “break into” an organisations systems, networks, and software by looking for vulnerabilities across the following areas:
- Network endpoints
- Network security devices
- Web applications
- Wireless networks
- Mobile and wireless devices
How do pen testers simulate an attack?
Pen testers will act like malicious actors, they simulate an attack using the same approaches as hackers would, including:
- Operating system backdoors
- Misconfigurations in cloud-based applications and services
- Social engineering tactics
- Weak passwords or unencrypted passwords
Why is penetration testing needed?
There are many reasons why an organisation may undertake pen testing:
- To protect their ‘crown jewels’ such as intellectual property, customer and staff data, financial information
- To protect their brand and reputation
- To decrease downtime in the event of a true security incident
- To ensure compliance with regulatory standards such as Payment Card Industry Data Security Standard (PCI DSS)
- To identify vulnerabilities during infrastructure change programmes i.e. system upgrades, new software releases, new applications, new hardware
- As part of a due diligence process for contracts, mergers and acquisitions
- To proactively identify emerging or new vulnerabilities that were not previously known
In the 2020 Pen Testing Report by Core Security, 97% of respondents noted that penetration testing was important to their security posture.
Why is pen testing important?
Undertaking penetration testing is a cyber security best practice designed to improve your cyber security strategy. A controlled and managed simulation of an actual system intrusion provides a proactive and realistic experience of a security breach, enabling you to plug any security gaps before a real attacker finds them.
When should pen tests be run?
Penetration testing should be run as frequently as possible, especially when significant changes or updates to your infrastructure or digital strategy are made.
How often should pen tests be undertaken?
The frequency of undertaking penetration tests will depend on a number of organisational factors, including:
- Budget availability
- Network changes, as tests should be undertaken as part of and to coincide with an organisational change programme
- Size of the network as you may wish to undertake a rolling programme to ensure coverage of all systems, software, hardware, applications etc
The timing of a testing programme should be adaptable and balanced to ensure that risk is minimised whilst enough time is allowed between recurring tests for remediation work to be undertaken.
What are the different types of pen testing?
Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers.
- Black box penetration testing: assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. Black box testing simulates an attack from someone who is unfamiliar with the system, such as a malicious actor trying to break in and cause havoc.
- White box penetration testing: provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. White box testing simulates what might happen during an “inside job” or after a “leak” of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords.
- Grey box testing: is a combination of white box testing and black box testing. Typically a grey hat hacker will have permission to test the system, but not have prior knowledge of the system. The aim of this test is to discover defects resulting from improper structure or improper use of applications.
Can I undertake pen testing inhouse?
Possibly. This is of course dependant on your available resources:
- You have experienced and trained in-house expertise
- To be impartial and objective, the testing resource should be ‘independent’ and not part of a project or build team, they should not be testing their own work
- Testing resources must undertake ongoing training and monitoring of emerging threats and vulnerabilities, as well as keeping up to speed with the latest testing methodologies
- Penetration testers require access to a dedicated test lab for pre production work and to penetration testing tools
Considering the cost of investment required for in-house penetration testing, it may be more cost effective to outsource penetration testing to a third party.
How do I choose a pen test provider if I outsource?
A penetration testing provider should be professional and reputable within the industry:
- Relevant expertise: ensure that the pen testing provider’s expertise matches the scope of your project requirements
- Appropriate certifications: pen testers should be knowledgeable and experienced with appropriate training. Ask about their industry certifications.
- Trusted staff: penetration testers should be adequately vetted by their employers with their backgrounds checked
- References and recommendations: should be available if requested
- Sample reports: should be made available in advance. Make sure their reporting is understandable and well-organised, with clear actionable recommendations of how vulnerabilities can be remediated
Infosec Partners provides a full spectrum of security penetration tests resulting in reports and recommendations that executive management as well as technicians can all gain the information they need to secure their systems and networks.
What do I need to do to prepare for pen testing?
In advance of the testing the scope of the project will need to be agreed. As the purpose of testing is to assess security controls at that moment in time so in essence there is no need to change anything within your network specifically for penetration testing.
How much time is needed to undertake pen testing?
The timescale depends on the size and complexity of the pen testing project.
Rigorous and detailed planning for penetration testing is required, as is time for review and remediation measures.However the actual ‘testing window’ should be ideally 1-3 weeks.
Will pen testing disrupt our network? Should we expect a system crash?
Your systems will not be disrupted by well-planned and coordinated penetration tests. It’s important that all stakeholders are aware of the timeline and that all relevant teams are kept up to date. With the right expertise and plans in place you won’t have to worry about operational systems crashing, business as usual is to be expected.
What should we expect from the results of pen testing?
A penetration test report will contain detailed sensitive information about your organisations security vulnerabilities, it is highly confidential and should not be widely circulated.
How often should we re-run penetration testing?
Depending on the size and complexities of your network, and your organisation’s change programme, we would recommend that you implement a programme of recurring pen tests to counter emerging threats and vulnerabilities.
We also recommend re-tests on found vulnerabilities to ensure that remediation has been successfully completed.