Penetration testing is a critical element in validating the safety of electronic assets. With many different types of penetration testing, such as white box penetration testing, black box penetration testing and grey box penetration testing, it isn’t always easy for business owners to select the exemplary penetration testing service for their business.
One of the most important first steps to take is to analyse the exploitable vulnerabilities that your business may have. This is known as pen testing, and in this blog, we’ll cover the basics, including types, tools and costs. The scope of such security tests varies across web apps, APIs, mobile applications, network builds, firewall or router configurations, internal and external infrastructure and more.
Feel free to watch a condensed version of this article here:
What is Penetration Testing?
A penetration test is a technical exercise aimed at finding weaknesses in a company’s networks, applications or systems. This cybersecurity assurance is provided against an organisation’s assets.
By identifying these security flaws, businesses can determine the extent to which their electronic assets (people, process and technology) are exploitable and can take the necessary steps to reduce the risk.
It is known in many different forms, mainly ethical hacking, cybersecurity assessment, covert penetration testing, intrusion testing, technical security audit or technical risk assessment. Often vulnerability assessment and pentesting are used interchangeably; these are different services altogether. In certain regions, specifically Asia, VAPT (Vulnerability assessment & penetration testing) is an umbrella term referring to security audit exercises. Vulnerability assessment helps to identify and classify the known vulnerabilities in a system. This is an automated process with the use of scanners. No manual exploitation is part of vulnerability assessment, whereas manual pentesting involves safely exploiting the vulnerabilities identified during the test. This article does not include the scope of protecting physical assets such as hardware, premises or people – this is covered under physical security penetration testing.
Different Approaches to Penetration Testing (Intrusion testing)
The three penetration testing types are black box, grey box and white box penetration testing, also known as black hat, grey hat and white hat hacking. The level of prior knowledge and access to the asset provided defines these. The following presents each of the scenarios with advantages and disadvantages.
What is black box penetration testing?
A black box pen test starts with no prior knowledge and zero access to the target. Also known as a blind or covert pen test, an example of a black box pen test includes a website security assessment with no information and user access. This scenario consists of a security consultant or an ethical hacker taking the form of an internet user browsing the website. An attack layout is prepared based on the functionalities and information derived from the exposed functions such as information leakage, technology footprints, login function, forgotten password, or similar web pages with dynamic input.
A similar scenario on the network side would be a security consultant carrying out a pen test with zero prior knowledge. Usually, this scenario involves a security consultant inside the client’s premises, starting with a network connection. From here onwards, a lot of information gathering or reconnaissance is performed to find internal network information and prepare an attack layout based on identified assets’ properties.
Some examples include wireless network pen tests because insecure wireless networks are often a gateway into corporate or production wireless networks allowing internal network wide access. Despite a secure network infrastructure around an external network and wired networks, an access point weakness or an insecure wireless network could be an entry point for attackers. Other network tests include testing IPS/IDS evasion, firewalls, or other devices and assets from an unauthenticated threat actor’s view. It detects incorrect product builds, improper configuration files or identifies issues related to people element due to a lack of awareness – by employing social engineering techniques.
Social engineering tests fall into this category as no information is provided before commencing this project. The most common attacks carried out by a pen tester range between email-based phishing attacks, voice-based vishing, SMS-based smashing or physical attack vectors such as tailgating, dumpster diving, eavesdropping, gifts and imposters (as vendors, employees). Social engineering tests are performed to validate the awareness campaigns, programs and validation of digital and physical controls in an organisation. It is one of the effective ways to mitigate an attack involving human factors.
Black box penetration testing
Advantages of black box pen testing
- These penetration tests simulate an attacker’s perspective as closely as possible to real conditions, performed from an unauthorised outsider perspective.
- It is reproducible and efficient on larger systems where externally facing vulnerabilities could add to potentially significant risks leading to loss of sensitive information.
Disadvantages of black box testing
- It does not cover in-depth assessment as compared to white-box tests.
- It is performed against production environments in the case of an active directory or internal LAN/networks.
Gray box penetration testing
A gray box pentest involves some level of knowledge and some access to the target. An example of such a test consists of a website security assessment with low-level user access. Security vulnerabilities may be identified in the underlying operating system, services or systems related to misconfiguration,
Advantages of gray box pentest
- Grey-box pen testing is used to test web applications and APIs where privileged user information is used to assess the applications. It is used as input to simulate various threat scenarios to discover privilege escalation vulnerabilities and other issues such as Cross-site scripting, SQL Injection, broken authentication and session management issues that could allow users to escalate privileges horizontally or vertically.
- More excellent knowledge and access to asset resources such as architecture, design, and security control documentation can help reduce the effort needed to uncover flaws.
Disadvantages of gray box pen testing
- A penetration tester cannot access source code and may miss critical vulnerabilities.
White box penetration testing
A white box pen test grants the security consultant the highest knowledge and access to the target. An example of such a test involves website application penetration testing. Multiple user levels, including CMS admin and information such as security architecture, design document and source code access, are supplied to the security consultant (or a pen tester). An ethical hacker then uses tools such as burp suite, fiddler, etc., to manually approach the white box pentest assessment or review the source code per the requirements.
During this pentest, you equip security consultants with all the information as if they are extensions to your security team. A white box test aims to get as much coverage of security issues as possible. None of the other pen test approaches offers this depth in analysis techniques (static analysis and dynamic analysis). For instance, a source code review will include reviewing everything about how an application behaves. It has looked at various elements such as HLD / design documentation, programming language and use of safe functions, source code issues, any comments left by developers, etc., delivering the in-depth output on white box pen test investment leading to strengthening software security and minimising threats related to data breaches.
White box pen testing is performed during software development, before major releases or during changes. Many dangerous bugs identified in this field are not simple programming errors or OWASP Top 10 issues. Sometimes, they are a chain of vulnerabilities clubbed together to form a credible attack that is high in impact and likelihood. It is your answer to why cyber safety, where neglected, can be treated correctly.
Advantages of white box testing
This testing offers the most comprehensive assessment covering internal and external vulnerabilities. White box testing advantages equip businesses with in-depth views. Some of these benefits are:
- It is budget-friendly and the fastest exercise to find vulnerabilities.
- A helpful exercise to know the different paths a threat actor may take to compromise the assets in scope.
- It is aimed at the most pressing security concerns directly relevant to the assets in scope.
- It involves coordination between development and white-box penetration testers, adding to the highest possible accuracy-based results.
Disadvantages of white hat testing
- It makes assessments more difficult and limited in exploitation where the live impact is involved in the current state of systems in scope.
- Test cases are challenging to design due to environment-specific metrics, and finding vulnerabilities may take longer than other tests.
Black box vs white box penetration testing
The following image presents differences between grey box vs black box vs white box pen testing.
Blind penetration testing refers to the simulation of an actual cyber attack. It helps teams understand the threat actor’s modus operandi by starting the exercise with very limited information before testing commences. For example, a blind pen test may create with just a company name.
Double blind penetration testing is an advanced version of the blind pen test when a stealth campaign is the objective of the assessment. Only one or two people in the target business are authorising this assessment to know this.
Double blind helps businesses evaluate their responses in real-time and improve their people, processes and technological controls.
Different Types of Penetration Testings
Based on the different categories of the assets, i.e. cloud, network, web applications, mobile applications, personnel, etc. The following lists the various penetration testing categories.
Network penetration testing
Infrastructure (or network) pentesting covers a broad spectrum of levels, including single build reviews, segregation reviews, to network-wide assessments based on real-world test cases. Network pen tests consist of the following:
- Internal/External Network Penetration test
- Firewall Security Assessment
- Wireless Pentesting
- IT Health Check (entire organisation)
- Active Directory Security Assessment
- Server Build Review
- Device Audits
- Network Segregation Review
Web application penetration testing
Web application pen testing is a great way to see if you are secure for trading on the internet or if your database is open to risks. It consists of the following:
- Web Application Security Testing is aimed at identifying issues such as SQL injection, cross-site scripting attacks, bypassing access controls or broken authentication to gain unauthorised access
- Web Services / API Security Assessment
- Secure Code Review
- Application Threat Modelling
- Database Security Review
- Thick Client Applications
The above services also include assessments of CMS-based websites, such as checking for WordPress vulnerabilities, Joomla security scanning, etc. The assessment methodology involves web application security test scenarios, including OWASP Top 10 Web Application issues, OWASP Top 10 API risks and other modern real-world test cases.
Cloud penetration testing
This test is crucial if you store data in the cloud. The security of any cloud-based operating systems and applications needs to be continuously maintained and tested. Cloud pentesting consists of the following:
- Cloud Configuration Review
- Cloud Service Testing
- Cloud Security Testing, such as Google cloud penetration testing
- Office 365 Tenancy Configuration Reviews (known as Office 365 pen test or Office 365 security review)
- AWS & Azure Pentest
- Container security
Cyber attack simulation
Cyberattack simulations are commonly designed with multi-step attack scenarios to check how defensive controls react during a real-time attack. This includes red teaming (a simulation carried out to conduct a real-life attack for assessing the attack preparedness) and blue/purple teaming (working in collaboration with your security teams to ensure it is a learning exercise to improve your detection).
For the buyers, it is essential to understand the differences between red teaming and pen testing. Red team pentesting versus pen testing – read which is the right choice for your business.
Cyber Attack Simulations will usually consist of the following:
- Red Team Assessment
- OSINT (Open Source Intelligence) Assessment
- Phishing Campaigns (Bulk, targeted/spear-phishing)
- Social Engineering
Mobile penetration testing
Mobile pen testing will test your mobile applications before they go live to reduce the chances of a data breach or other security vulnerabilities. If you have an insecure application, you could compromise sensitive data or the device itself. It usually consists of the following:
- Mobile Application Security Testing
- Secure Code Review
Bespoke security reviews
This comprehensive cybersecurity audit covers supply chain risk, M&A due diligence, IoT, advanced penetration testing scenarios, and bespoke projects that can be tailored to your company’s security needs.
- Product Security Assessment / Security Evaluation Criteria
- IoT Security
- Remote Access Assessment
- Supply Chain Vulnerability Assessment
- M&A Cyber Security Due Diligence
- Compliance Penetration Testing
- Social engineering penetration testing
Physical penetration testing simulates attempts to obtain physical access into an organisation to identify vulnerabilities and bypassing physical security controls, i.e. access controls at the entrances, between the floors, around the building, etc.
Examples of Penetration Testing
- Web Application Penetration Testing: This includes performing an application security assessment aimed at OWASP Top 10 risk identification, including XSS (Cross-Site Scripting), SQL injection, CSRF (Cross-Site Request Forgery), and other vulnerabilities.
- Network Penetration Testing: This involves simulating attacks on network infrastructure to identify weaknesses such as misconfigured devices, insecure protocols, and unauthorized access points.
- Active Directory Penetration Testing: Testing the security of Active Directory environments to uncover misconfigurations, weak authentication mechanisms, and potential privilege escalation paths.
- API Penetration Testing: Assessing the security of APIs (Application Programming Interfaces) to identify vulnerabilities such as insecure API endpoints, lack of proper authentication, and data exposure risks.
- AWS Cloud Penetration Testing: Evaluating the security posture of Amazon Web Services (AWS) environments, including configuration errors, identity and access management issues, and data storage vulnerabilities.
- Azure Cloud Penetration Testing: Similar to AWS testing, this involves assessing the security of Microsoft Azure environments, including identity management, network security, and data protection.
- Mobile Application Penetration Testing: Testing the security of mobile applications for both Android and iOS platforms, uncovering vulnerabilities such as insecure data storage, insufficient authentication, and insecure communication channels.
- Wireless Network Penetration Testing: Assessing the security of wireless networks to identify vulnerabilities such as weak encryption, rogue access points, and unauthorized connections.
- Social Engineering Penetration Testing: Testing the human element of security by attempting to manipulate individuals within the organization through techniques such as phishing, pretexting, and physical intrusion.
- IoT (Internet of Things) Penetration Testing: Evaluating the security of IoT devices and networks to uncover vulnerabilities such as weak authentication, insecure firmware, and lack of encryption.
- Physical Security Penetration Testing: Assessing the physical security measures of an organization by attempting unauthorized entry, bypassing access controls, and testing surveillance systems.
How does a pen test work?
At Cyphere, pen testing is one of our main cyber security service offerings for businesses, and service quality underpins everything we do.
The first step in the process is to get in touch with a cybersecurity professional or consultancy, such as ourselves. Customers sometimes think we go off on a tangent; understanding your business from you is the most important step. We ensure that gaining business insight and requirement analysis aligns with your business objectives.
We will then get to work and identify technical risks affecting software and hardware in your business. This test will then assure that the products, security configurations and controls are aligned with good practices. This information will be presented in an easy-to-understand report that will give you strategic recommendations and help you prepare a mitigation plan for an attack.
Not only do we provide you with a clear plan of action, but we also make sure this is communicated effectively at a technical and management level.
We offer SME security solutions for small businesses with multiple options to suit their requirements.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.