Penetration testing is a critical element to validate the safety of digital assets. With many types of testing available, it isn’t always easy for business owners to select the right one.
One of the most important first steps to take is to analyse the exploitable vulnerabilities that your business may have. This is known as pen testing and in this blog, we’ll cover everything you need to know about it.
You might want a cup of coffee by your side to help you finish this blog post. This will cover the following topics:
- What is Pen Testing
- Why is it important?
- Different types of pentests
- How does a Pen Test Work?
- Pentesting service lifecycle
- What is Pen Test methodology?
- Pen Testing engagement lifecycle
- Pen Testing Tools
- When to conduct such assessments?
- What are the costs involved?
What is Penetration Testing?
A penetration test is a technical exercise aimed at finding weaknesses in a company’s networks, applications or systems. This cybersecurity assurance is provided against an organisation’s assets.
By identifying these security flaws, businesses are able to find out the extent to which their assets (people, process and technology) are exploitable and can then take the necessary steps to reduce the risk.
It is also known as ethical hacking, cybersecurity assessment, technical security audit or technical risk assessment. Often vulnerability assessment and pentesting are used interchangeably, these are different services altogether. In certain regions, specifically Asia, this term VAPT (Vulnerability assessment & penetration testing) is an umbrella term referring to security audit exercises. Vulnerability assessment helps to identify and classify the known vulnerabilities in a system. This is an automated process with the use of scanners. No manual exploitation is part of vulnerability assessment, whereas manual pentesting involves techniques to exploit the vulnerabilities identified during the test.
Why pen testing is important?
You may be wondering, ‘what does pen testing involve to bring value to my business?’. Let’s go through all the most important reasons as to why this is a smart business decision.
Threat Protection
We now live in a world where data is a more valuable resource than oil. Due to the inherent link with technology, threats evolve and change over time.
This means that, while you may have overcome a security issue a year ago, new threats are always on the horizon. For this reason, it is critical to regularly assess your security in order to protect your network.
Develop Your Cybersecurity Strategy
Cybersecurity in any business shouldn’t be an afterthought. The best way to create a cybersecurity strategy is to gather information through technical security audits. The data you gather here can then inform your strategy and act as the foundation for your plan.
Once you understand your current threats, you can update your practices, inform employees, streamline your processes and most importantly, improve your technology.
A Proactive Approach
Pen testing is the perfect way for a business to identify weaknesses and vulnerabilities before they are exploited by threat actors. It should be performed on regular basis to ensure your most prized assets are always protected. Usually, this is an annual exercise or following any upgrades to code, hardware, software. Having a proactive mindset towards cybersecurity is imperative if you want to have effective results.
By having regular pen tests, you create more efficient business systems, prevent data loss and save your business a lot of potential headaches.
Types of Penetration Testing
There are multiple types of security testing services based on the type of assets, environments or business stages.
Network Penetration Testing
Infrastructure (or network) pentesting covers a broad spectrum of levels, including single build reviews, segregation reviews to network-wide assessments. Network pen tests consist of:
- Internal/External Network Pentesting
- Firewall Security Assessment
- Wireless Pentesting
- IT Health Check (entire organisation)
- Active Directory Security Review
- Server Build Review
- Device Audits
- Network Segregation Review
Web Application Penetration Testing
Web application pen testing is a great way to see if you are secure for trading on the internet or see if your database is open to risks. It consists of:
- Web Application Security Testing
- Web Services / API Security Assessment
- Secure Code Review
- Application Threat Modelling
- Database Security Review
- Thick Client Applications
The above services also include assessments of CMS based websites, such as checking for WordPress vulnerabilities, Joomla security scanning and the likes. The assessment methodology involves web application security test scenarios including OWASP Top 10 Web Application issues, OWASP Top 10 API risks and other modern real-world test cases.
Cloud Penetration Testing
This test is crucial if you store data in the cloud. The security of any cloud-based operating systems and applications need to be continuously maintained and tested. Cloud pentesting consists of:
- Cloud Configuration Review
- Cloud Service Testing
- Cloud Security Testing
- Office 365 Tenancy Configuration Reviews (known as Office 365 pen test or Office 365 security review)
- AWS & Azure Pentest
Cyber Attack Simulation
Cyber attack simulations are commonly designed with multi-step attack scenarios to check how defensive controls react during a real-time attack. This includes red teaming (a simulation carried out to conduct a real life attack for assessing the attack preparedness) and blue/purple teaming (working in collaboration with your security teams to ensure it is a learning exercise to improve your detection).
For the buyers, it is very important to understand the differences between red teaming and pen testing. Red team pentesting versus pen testing – read which one is the right choice for your business?
Cyber Attack Simulations will usually consist of:
- Red Team Assessment
- OSINT (Open Source Intelligence) Assessment
- Phishing Campaigns (Bulk, targeted/spear-phishing)
- Social Engineering
Mobile Penetration Testing
Mobile pen testing will test your mobile applications before they go live, in order to reduce the chances of a data breach or other security vulnerabilities. If you have an insecure application, you could be compromising sensitive data or the device itself. It usually consist of:
- Mobile Application Security Testing
- Secure Code Review
MDM (mobile device management) security reviews are usually covered under Infrastructure security assessments.
Bespoke Security Reviews
This comprehensive cybersecurity audit covers supply chain risk, M&A due diligence, IoT and a range of advanced penetration testing scenarios and bespoke projects that can be tailored for the security needs of your company.
- Product Security Assessment / Security Evaluation Criteria
- IoT Security
- Remote Access Assessment
- Supply Chain Vulnerability Assessment
- M&A Cyber Security Due Diligence
- Compliance Penetration Testing
How does a Pen Test work?
At Cyphere, pen testing is one of our main cyber security service offerings for businesses. Service quality underpins everything we do.
The first step in the process is to get in touch with a cybersecurity professional or consultancy, such as ourselves. Customers sometimes think we go off at a tangent, understanding your business from you is the most important step. We ensure that gaining business insight and requirement analysis is in line with your business objectives.
We will then get to work and identify technical risks affecting software and hardware in your business. This test will then add assurance that the products, security configurations and controls are configured in line with good practices. This information will be presented to you in an easy to understand report that will give you strategic recommendations and help you prepare a mitigation plan for an attack.
Not only do we provide you with a clear plan of action but we also make sure this is communicated effectively at a technical and management level.
Pen Test service lifecycle
Our engagement approach remains focussed on service quality. Our engagement approach is underpinned by three principles: We engage, We listen and We deliver. The following five steps define our engagement process that puts service quality as our top priority:
Customer Business Insight & Requirements Capture
The very first step remains our quest to gain insight into drivers, business, pain points and relevant nuances. As part of this process, we understand the assets that are part of the scope.
Services Proposal
It is important to gain grips with the reality, therefore, we always stress on walkthroughs or technical documentation of the assets. After asset walkthroughs, a tailored proposal is designed to meet your business’ specific requirements.
Execution
Cyphere’s approach to all work involves excellent communication with technical skill-set. See our pen test methodology below for detailed information.
Delivery
The execution phase is followed by data analysis and reporting phase. Cyphere performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels
Debrief & After-Care Support
As part of our engagement process, customers schedule a free of charge debrief with management and technical teams. This session involves remediation plan, assessment QA to ensure that customer contacts are up to date in the language they understand.
What are Penetration Testing methodologies?
In order to perform a security assessment, it is important to understand the context of assets in scope for the engagement. The following penetration testing methodologies involve the basis of the level of knowledge and access granted to the security consultants:
- Black Box Pen Testing: A black box pen test starts with no prior knowledge and access to the target. An example of such a test involves a website security assessment with no information and user access.
- Grey Box Testing: A grey box pen test involves some level of knowledge and access to the target. An example of such a test involves a website security assessment with low-level user access.
- White Box Testing: A white box pen test is granted with the highest level of information and access. An example of such a test involves a website security testing where multiple user levels including CMS admin and information such as security architecture, design document and/or source code access is supplied to the security consultant.
It is important to select the right assessment techniques as this can influence the outcome of the testing process. In order to simulate threat actors, it is important to consider various threat scenarios that lead to creation of test cases used during testing.
Penetration Testing Standards and Frameworks
Multiple pentesting frameworks have also been released in the past. These include Open Web Application Security Project (OWASP) for web application assessments, The US Commerce Department’s popular cyber framework from NIST, Open Source Security Testing Methodology Manual and the Pentesting Execution Standard. Quite often, due to the content popularity OWASP and SANS Top 20 Critical Controls are often cited as benchmarks for testing.
Penetration testing engagement lifecycle
Our proven approach to security assessments is based on more than a decade of experience, industry practices and effective ways to exceed customer expectations. Cyphere’s pen testing engagement lifecycle is broken down into five phases:
Initial Scoping and Objectives Agreement
This is often an overlooked area, however, is one of the most important aspects. No one knows a network better than their caretakers that is THE customer.
Defining an accurate scope of the work ensures understanding and clarity of objectives, exclusions, and what to do if something happens. We ensure that proven project management approach is put to work, ensuring all parties are aware of authorisation forms & legalities, in-scope elements, any fragile components and out of scope components before commencing an engagement.
Reconnaissance
Once legal and project formalities are out of the way, the reconnaissance phase starts with a sole objective of information gathering. This intel (e.g, network layouts, domains, servers, infrastructure details) helps to understand how a network works including its assets (applications, systems, devices, anything with an IP).
Scanning
This phase is performed with an aim of finding vulnerabilities within the defined targets. It involves scanning the target for listening services/open ports, fingerprinting and analysing the running services to prepare a rough attack layout of target systems.
Exploitation
Attempts are made to exploit common vulnerabilities to simulate and check how far a threat actor can go to achieve privileged access. For instance, during unauthenticated tests within a company network, many times starting with zero access leads to the entire network compromise. Default passwords or commonly used username/password combinations are also tried against various services.
Once access is gained to the systems, further efforts are undertaken to escalate privileges to the highest levels. This also includes hopping around the network in order to find vulnerable servers within the customer business. This technique, often known as lateral movement, helps to identify vulnerable systems within a network that is not exposed to the internet.
Specific assessments defined against certain targets are defined under ‘white box’, ‘black box’ or ‘grey box’ methodologies. It defines test cases based on how much information is available to the consultants before starting the assessment.
No unsafe checks are carried out during the assessment. These include low-level attacks such as ARP spoofing, SYN flood or the likes. Denial of service attacks is explicitly deemed out of scope.
Reporting
The assessment phase is followed by data analysis and reporting phase. Cyphere performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels
Remediation
Cyphere also provides a remediation consultancy where we help customers define and execute the risk mitigation plan. This is an optional service and charged separately to pen tests. A risk focussed approach is utilised to ensure a prioritized plan is followed to ensure maximum impact on increasing defensive controls.
Should you chose not to opt for this service, you can also take our help in preparing remediation plan and tasking your IT or managed services provider for implementation of controls.
Penetration Testing Tools
Based on the assessment scope, relevant tool-sets are utilised. For instance, a web application penetration test would require a testing suite that allows intercepting traffic between a user’s browser and the server. This allows a security consultant to mimic a threat actor by changing input, testing the application code routines and checking for OWASP Top 10, SANS Top bugs and other tests as part of the web application pentesting methodology. For low-level assessment, such as hooking into windows services, APIs, or other specific, specialised web proxies, protocol analysers and fuzzing tools are utilised by the security consultants.
In case of a network penetration test, various pen testing tools are utilised those help consultants during scanning network, enumeration of services, vulnerability analysis, during exploitation and post-exploitation phases. Although it’s a combination of applications, utilities, multiple scripts and proprietary tools, most popular tools utilised for port scanning, enumeration, exploitation are nmap, metasploit framework, and toolsets included in Kali Linux distribution that is specifically meant for pen testers use.
Similarly, for wireless assessment, different tools would be needed on top of the network and application-level tools used during the assessment.
When to conduct Penetration Testing?
It’s safe to say there are multiple types of pen tests, which is why it’s so important to speak with a cybersecurity professional to see what is the best fit for your needs.
From our knowledge and experience, a technical security assessment should be conducted at any of the following events:
- Introduction of new infrastructure & applications
- After major changes/upgrades
- Business As Usual/ Annual Assessments
- Before product/service go live
A business may be at risk if new services have been rushed into production without security assessment and mitigation of risks. This could leave an organisation open to cyber attacks. Therefore, it is important to measure the attack surface of underlying assets before releasing in production.
Some compliance requirements such as PCI, DSS, sector-based commission technical audits, vendor assurance requirements, mandate regular penetration tests.
How much does a Penetration Test Cost?
There is no one price sheet. However, pen test pricing calculation is more or less similar across the industry.
Penetration testing pricing varies based on the time and resource invested in the assessment. Scoping varies from an asset (single server or a network) to asset (an eCommerce setup with a website, API, database, load balancers) and the environment metrics related to the asset play a key role. Our assessment pricing involves transparency around sub-elements of a project, effort estimation and project-related details (project management, data analysis, reporting phases), educating the buyer to make an informed decision on what is best for them.
For small businesses, we offer SME security solutions with multiple options to suit their requirements.
This flexibility along with stress-free options such as easy cancellations, reporting, debriefs, remediation plan in addition to pricing structure is often described as ‘fresh alternative’ by our customers.
We hope you liked this blog, please feel free to get in touch if you like to see content around specific topics. Please subscribe to our newsletter for latest threat reports, tips, articles and other useful content.