Penetration testing is a critical element to validate the safety of electronic assets. With many different types of penetration testing, such as white box penetration testing, black box and grey box, it isn’t always easy for business owners to select the right one.
One of the most important first steps to take is to analyse the exploitable vulnerabilities that your business may have. This is known as pen testing, and in this blog, we’ll cover the basics, including types, tools and costs.
Feel free to watch a condensed version of this article here:
What is Penetration Testing?
A penetration test is a technical exercise aimed at finding weaknesses in a company’s networks, applications or systems. This cybersecurity assurance is provided against an organisation’s assets.
By identifying these security flaws, businesses can determine the extent to which their electronic assets (people, process and technology) are exploitable and can then take the necessary steps to reduce the risk.
It is known in many different forms mainly, ethical hacking, cybersecurity assessment, covert penetration testing, intrusion testing, technical security audit or technical risk assessment. Often vulnerability assessment and pentesting are used interchangeably; these are different services altogether. In certain regions, specifically Asia, VAPT (Vulnerability assessment & penetration testing) is an umbrella term referring to security audit exercises. Vulnerability assessment helps to identify and classify the known vulnerabilities in a system. This is an automated process with the use of scanners. No manual exploitation is part of vulnerability assessment, whereas manual pentesting involves safely exploiting the vulnerabilities identified during the test. This article does not include the scope of protecting physical assets such as hardware, premises or people – this is covered under physical security penetration testing.
Types of Penetration Testing (Intrusion testing)
The three types of pen tests are black box, grey box and white box penetration testing, also known as black hat, grey hat and white hat hacking. These are defined on the level of prior knowledge and the level of access to the asset provided. The following presents each of the scenarios with advantages and disadvantages.
What is black box penetration testing?
A black box pen test starts with no prior knowledge and zero access to the target. Also known as blind or covert pen test, an example of a black box pen test includes a website security assessment with no information and user access. This scenario includes a security consultant taking the form of an internet user browsing the website. An attack layout is prepared based on the functionalities and information derived from the exposed functions such as information leakage, technology footprints, login function, forgotten password, or similar web pages with dynamic input.
A similar scenario on the network side would be a security consultant carrying out a pen test with zero prior knowledge. Usually, this scenario involves a security consultant inside the client premises, starting with a network connection. From here onwards, lots of information gathering or reconnaissance is performed to find out internal network information and prepare an attack layout based on identified assets’ properties. Some examples include wireless network pen tests because insecure wireless networks are often a gateway into corporate or production wireless networks allowing internal network wide access. Despite a secure network infrastructure around an external network and wired networks, an access point weakness or insecure wireless network could be an entry point for attackers. Other network tests include testing IPS/IDS evasion, firewalls, or other devices and assets from an unauthenticated threat actor’s view.
Social engineering tests fall into this category as no information is provided before commencing this project. The most common types of social engineering attacks carried out by penetration testers range between email based phishing attacks, voice based vishing, SMS based smashing or physical attack vectors such as tailgating, dumpster diving, eavesdropping, gifts and imposters (as vendors, employees). Social engineering tests are performed to validate the awareness campaigns, programs and validation of digital and physical controls in an organisation. It is one of the effective ways to mitigate an attack involving human factors.
Advantages and disadvantages of black box testing
- These penetration tests simulate an attacker’s perspective as closely as possible to real conditions. It is performed from an unauthorised outsider perspective.
- It is reproducible and efficient on larger systems where externally facing vulnerabilities could add to potentially big risks leading to loss of sensitive information.
Disadvantages of black box testing
- It does not cover in-depth assessment as compared to white-box tests.
- It is performed against production environments in the case of an active directory, internal LAN/networks.
Grey box security audit (or grey box penetration testing)
A grey box pentest involves some level of knowledge and some access to the target. An example of such a test involves a website security assessment with low-level user access.
Advantages of grey box pentest
- Grey-box pen testing is utilised to test web applications and APIs where privileged user information is utilised to assess the applications. It is used as input to simulate various threat scenarios to discover privilege escalation vulnerabilities and other issues such as Cross-site scripting, SQL Injection, broken authentication and session management issues that could allow users to escalate privileges horizontally or vertically.
- Greater knowledge and access to asset resources such as architecture, design, security controls documentation can help reduce the effort needed to uncover flaws.
Disadvantages of grey box security testing
- A penetration tester does not have access to source code and may miss critical vulnerabilities.
Advantages and disadvantages of white box testing
A white box pen test grants the security consultant the highest level of knowledge and access to the target. An example of such a test involves website application penetration testing. Multiple user levels, including CMS admin and information such as security architecture, design document and/or source code access, are supplied to the security consultant (or a pen tester).
During this pentest, you equip security consultants with all the information as if they are extension to your security team. The goal of a white box test is to get as much coverage of security issues as possible. None of the other pen test approaches offers this depth in analysis techniques.
Many dangerous bugs identified in this field are not simple programming errors or OWASP Top 10 issues. Sometimes, they are a chain of vulnerabilities clubbed together to form a credible attack that is high in impact and likelihood.
Advantages of white box testing
This testing offers the most comprehensive assessment covering internal and external vulnerabilities. White box testing advantages equip businesses with in-depth views. Some of these benefits are:
- It is budget-friendly and the fastest exercise to find vulnerabilities.
- A helpful exercise to know the different paths a threat actor may take to compromise the assets in scope.
- It is aimed at the most pressing security concerns directly relevant to the assets in scope.
- It involves coordination between development and white-box pentesters that adds to the highest possible accuracy based results.
Disadvantages of white hat testing
- It makes assessments more difficult and limited in exploitation where the live impact is involved in the current state of systems in scope.
- Test cases are difficult to design due to environment-specific metrics, and finding vulnerabilities may take longer than other tests.
Black box vs white box penetration testing
The following image presents differences between grey box vs black box vs white box pen testing.
Blind penetration testing refers to the simulation of a real cyber attack. It helps teams understand the threat actor’s modus operandi by starting the exercise with very limited information before testing commences. For example, a blind pen test may start with just a company name.
Double blind penetration testing is an advanced version of the blind pen test when a stealth campaign is the objective of the assessment. Only one or two people in the target business who authorise this assessment are aware of this.
Double blind helps businesses evaluate their responses in real-time and improve their people, process and technological controls.
Penetration testing categories based on targets
Based on the different categories of the assets, i.e. cloud, network, web applications, mobile applications, personnel, etc. The following lists the various penetration testing categories.
Network penetration testing
Infrastructure (or network) pentesting covers a broad spectrum of levels, including single build reviews, segregation reviews, to network-wide assessments based on real-world test cases. Network pen tests consist of:
- Internal/External Network Penetration test
- Firewall Security Assessment
- Wireless Pentesting
- IT Health Check (entire organisation)
- Active Directory Security Review
- Server Build Review
- Device Audits
- Network Segregation Review
Web application penetration testing
Web application pen testing is a great way to see if you are secure for trading on the internet or if your database is open to risks. It consists of:
- Web Application Security Testing
- Web Services / API Security Assessment
- Secure Code Review
- Application Threat Modelling
- Database Security Review
- Thick Client Applications
The above services also include assessments of CMS based websites, such as checking for WordPress vulnerabilities, Joomla security scanning and the likes. The assessment methodology involves web application security test scenarios, including OWASP Top 10 Web Application issues, OWASP Top 10 API risks and other modern real-world test cases.
Cloud penetration testing
This test is crucial if you store data in the cloud. The security of any cloud-based operating systems and applications need to be continuously maintained and tested. Cloud pentesting consists of:
- Cloud Configuration Review
- Cloud Service Testing
- Cloud Security Testing such as Google cloud penetration testing
- Office 365 Tenancy Configuration Reviews (known as Office 365 pen test or Office 365 security review)
- AWS & Azure Pentest
- Container security
Cyber attack simulation
Cyberattack simulations are commonly designed with multi-step attack scenarios to check how defensive controls react during a real-time attack. This includes red teaming (a simulation carried out to conduct a real-life attack for assessing the attack preparedness) and blue/purple teaming (working in collaboration with your security teams to ensure it is a learning exercise to improve your detection).
For the buyers, it is essential to understand the differences between red teaming and pen testing. Red team pentesting versus pen testing – read which one is the right choice for your business?
Cyber Attack Simulations will usually consist of:
- Red Team Assessment
- OSINT (Open Source Intelligence) Assessment
- Phishing Campaigns (Bulk, targeted/spear-phishing)
- Social Engineering
Mobile penetration testing
Mobile pen testing will test your mobile applications before they go live to reduce the chances of a data breach or other security vulnerabilities. If you have an insecure application, you could be compromising sensitive data or the device itself. It usually consists of:
- Mobile Application Security Testing
- Secure Code Review
Bespoke security reviews
This comprehensive cybersecurity audit covers supply chain risk, M&A due diligence, IoT and a range of advanced penetration testing scenarios and bespoke projects that can be tailored for your company’s security needs.
- Product Security Assessment / Security Evaluation Criteria
- IoT Security
- Remote Access Assessment
- Supply Chain Vulnerability Assessment
- M&A Cyber Security Due Diligence
- Compliance Penetration Testing
How does a pen test work?
At Cyphere, pen testing is one of our main cyber security service offerings for businesses. Service quality underpins everything we do.
The first step in the process is to get in touch with a cybersecurity professional or consultancy, such as ourselves. Customers sometimes think we go off at a tangent; understanding your business from you is the most important step. We ensure that gaining business insight and requirement analysis is in line with your business objectives.
We will then get to work and identify technical risks affecting software and hardware in your business. This test will then assure that the products, security configurations and controls are configured in line with good practices. This information will be presented to you in an easy to understand report that will give you strategic recommendations and help you prepare a mitigation plan for an attack.
Not only do we provide you with a clear plan of action, but we also make sure this is communicated effectively at a technical and management level.
Discuss your concerns today
How much does a penetration test cost?
Penetration testing service cost or pricing calculation is more or less similar across the industry. Penetration testing costs vary based on the time and resources invested in the services delivered. Scoping varies from an asset (single server or a network) to an asset (an eCommerce setup with a website, API, database, load balancers). The environment metrics related to the asset play a key role. Our assessment pricing involves transparency around sub-elements of a project, effort estimation and project-related details (project management, data analysis, reporting phases), educating the buyer to decide what is best for them.
For small businesses, we offer SME security solutions with multiple options to suit their requirements.