Penetration Testing Service – FAQ
Over the past few years, more and more small businesses have been turning to penetration testing service as a way of assessing their security. The first thing you need to know about pentesting is that it’s not a one-size-fits-all solution. Read the following FAQ to know about penetration testing services, assignments, approach, costs and much more.
Get in touch
Security Assessments / Penetration Testing
Frequently Asked Questions
Penetration testing is the process of simulating an attack on a computer system to identify vulnerabilities that an attacker could exploit.
A pentest provides significant value to the business. For the management team, it provides a benchmark of the target assets’ (e.g. an application, an organisation or a network) risk levels and mitigation advice, that helps to prioritise risk remediation.
For technical teams, it is a validation exercise of security controls in place and a learning exercise to avoid similar issues in future.
A penetration test is an exercise to identify technical risks affecting software and hardware in scope. An accurately scoped penetration can add an assurance that the products and security configurations, controls are configured in line with good practices, and no common or publicly known vulnerabilities affect the assets in scope, at the time of the test.
Pen testing can be used as part of a risk assessment or compliance exercise, so it should always be justified with the potential risks and costs associated with the projects.
Main benefits include increased awareness about security issues, reduced operational risks for organisations and input factor into wider IT strategy.
- UK Computer Misuse Act 1990
- UK Data Protection Act 1998
- UK Data Protection Act 2018 (GDPR)
- Human Rights Act 1998
- Police and Justice Act 2006
We help customers with IT security compliance requirements. Our assessment methodology covers well-known security standards like OWASP or SANS Critical Security Controls (among others).
For PCI DSS, GDPR, Cyber Essentials or other regulatory specific requirements, you must mention this as the requirement when scoping assessments with Cyphere.
Cyphere’s assessments are designed to be as safe and inconsequential for the customer, while also providing an accurate analysis of their weaknesses. Our assessment methodology ensures that all our assessments are performed with high technical standards, and taking into account any fragile components discussed during project meetings.For PCI DSS, GDPR, Cyber Essentials or other regulatory specific requirements, you must mention this as the requirement when scoping assessments with Cyphere.
- Customer Business Insight & Requirements Capture
- Services Proposal
- Execution
- Delivery
- Debrief & After-care Support
We take customer communication as seriously as the technical elements of the job. We engage with customers throughout a project, ensuring that contacts are up to date in the language they understand and never forgetting about them even after work has been completed. Post engagement, we provide free debriefs for management and technical audiences so it becomes easier to analyse and prepare risk remediation work.
We take customer communication as seriously as the technical elements of the job. We engage with customers throughout a project, ensuring that contacts are up to date in the language they understand and never forgetting about them even after work has been completed. Post engagement, we provide free debriefs for management and technical audiences so it becomes easier to analyse and prepare risk remediation work.
The duration of an assessment varies based on the required focus and the size of the target asset. For instance, an application with dynamic content, integrated authentication and payment modules along with form fields would take longer to assess than a static website with a simple search function. Similarly, network assessments include restrictions, size, accessibility factors while determining the timescales.
Penetration testing pricing is calculated based on the attack scenarios and the time invested in the assessment. A simple web application assessment (considered small) can be conducted within 3-4 days. A large corporate web application with multiple modules may require a few weeks.
All our pricing provides a breakdown to ensure transparency and flexibility for clients to make an informed choice.
Penetration testing is an essential part of security for networks, apps and endpoints. It helps to protect against external threats by making sure the system control is safeguarded from unwanted access – whether outside or inside the organisation.
Many a time, penetration testing can be performed remotely. We provide our external IP addresses during every remote assignment so that customer logging and monitoring processes and procedures are aware of this activity.
- Which assets pose risk by highlighting the vulnerabilities and associated risks?
- What is the impact and likelihood of the attacks associated with identified threats?
- How our remediation advice (both tactical and strategic levels) is helpful?
Penetration testing can be a white box, black box or grey box assessment depending upon the business requirements. These types cover different threat scenarios to an asset. Read types of penetration testing in detail. The following penetration tests are categorised based on targets:
- Network penetration testing
- Web application and API penetration testing
- Cloud penetration testing
- Mobile penetration testing
- Bespoke security reviews such as Red Team Operations, M&A transactions, IoT, etc.
A penetration test methodology is like a rulebook that defines the logic based on the threat scenarios, tests to be carried out to assess a target’s security.
Our Penetration testing methodology involves these phases:
- Initial Scoping and Objectives Agreement
- Reconnaissance
- Scanning
- Exploitation
- Cleanup, data analysis and reporting
- Remediation (optional)
Both approaches are needed and are helpful to security teams as part of a wider security strategy.
Automated security assessments (e.g. vulnerability scanning) cover more breadth than depth and also come with certain downsides like false positives. The manual assessment such as penetration testing ensures depth due to the skill-set by offering exploitation, tweaking the test cases in line with the customer environment and also pick up on issues such as logic flaws that remain undetected with software-based scanners.
Generally, security assessments are linked with change. When a change i.e. a network refresh, application improvement happens in your environment, a pen test is conducted to identify gaps and analyse the associated risks. It is ideal to test any asset before it is released in the production environment.
- Define the scope as accurately as possible – this impacts the results.
- Carry out a risk assessment that aims to find security objectives for the business to protect its assets.
- Define test plans including change management processes, contacts, escalation points, pre-requisites and schedules.
A penetration test may be performed on any type of computer, including laptops, desktops, servers, mobile devices, tablets and even smart home systems. After an asset is selected, the threat surface is taken into account to decide whether white box, black box or grey box assessment is best suited. This information is made available to penetration testers (security consultants) who prepare and agree on different test cases to be conducted during the pen test. A pen test is followed by a comprehensive report aimed at management and technical audiences providing the supplemental information, analysis of risks identified, probability and impact of the risk along with remedial actions.
An internal pen test is a type of penetration testing, which work by looking for vulnerabilities inside an organisation’s network. External pen tests are performed remotely by ethical hackers who search the internet-facing assets like email and web servers for security vulnerabilities.
A vulnerability scan is a type of diagnostic that tests the security of a system by looking for security holes in software, applications or networks.
A penetration test, on the other hand, is more rigorous than a vulnerability scan and often includes exploiting vulnerabilities to determine what would happen if an attacker were successful.
AWS penetration testing, also known as AWS security assessment or AWS vulnerability analysis, is a process that helps organizations identify and mitigate risks in their Amazon Web Services (AWS). This helps identify gaps that may need to be addressed before a system is put into production, or in order to satisfy compliance requirements.
It is important to be aware of what can and can’t be tested in the cloud, read here.
A web application penetration test is a security audit conducted to identify vulnerabilities that may put the application users or the data at risk. This type of assessment is performed by a third-party security consultant and typically includes scanning for common vulnerabilities such as cross-site scripting (XSS), SQL injection, etc. that exploit known flaws in the applications. OWASP Top 10 methodology is followed in all our projects, as detailed here.
In order to protect your business from cybercriminals who are continuously looking for ways into your systems – whether it’s through malware or other types of attack – you need to conduct periodic security audits on all of your applications.
Mobile penetration testing is a process that helps to determine the security of an organization’s mobile applications and devices, including secure configuration reviews of mobile device management (MDM).
Mobile devices are popular targets for hackers because they can be easily lost or stolen and have access to many sensitive applications that contain important data.
- An outline of risk exposure for the tested assets
- Strategic and tactical recommendations on how to improve security posture
- Security issues identified during the assessment
- Risk levels in the context of likelihood and impact
- Recommendations to address the findings
- Customer support involving debriefs to ensure customer has a full understanding of their risks and risk remediation plan
Your trusted penetration testing services provider
What people say about us
CREST Approved Penetration Testing Service Offerings
Penetration tests differ in scope based on the attack surface and the target asset. This defines how long it will take and what all scenarios and pen test methodologies to be taken into account.
One of the first things you need to do is knowing about different types of pentests. For your organization to figure out what will best suit their needs, they’ll have to weigh in on which type may be more appropriate. A white box assessment of an application might be a good fit but when trying to simulate an insider attack scenario then grey-box or black-box assessments are available as an option.
Business requirements such as compliance, customer needs should be taken into account to define what would be the best fit. It would answer how regularly you should perform pen tests.
In order to stay secure, it is important that you identify and fix vulnerabilities. Once the report has been generated from your pentest, focus on fixing what’s most critical first since not all of them can be fixed immediately.
The good luck will come in handy.