Red teaming, ethical hacking, penetration testing—we’ve all heard it all. But what actually is Penetration Testing?
A mostly manual process carried out by experienced consultants, PenTesting uses some of the same methods and tools a real-life hacker would. As the recipient of one of these tests, you work with a consultant to define the scope of the test and set your target, and the tester goes to work attempting to breach it.
These tests are valuable because they prove the strength of your defense to your most important prospects and customers. But perhaps more importantly, they demonstrate what the potential consequences could be if a bad guy breaches your infrastructure.
People often confuse PenTesting with vulnerability scanning, and while both have their own place in your security program, there is a distinct difference.
Vulnerability scans are performed by an automated tool that searches against a huge database of vulnerabilities to determine if any are impacting your software. Our partners at OnSecurity have a scanner that runs over 40,000 checks. Impressive.
The thing is a vulnerability scan is just that—an automated scanner. PenTests, on the other hand, have got an actual human on the other end. A human actively digging around your network, trying to find vulnerabilities, misconfigurations, and sending you a nuanced report on what they find.
The generally understood process of bad guys hacking a company is this: bad guy targets company, bad guy finds vulnerability, bad guy infiltrates company. Sometimes this is the case, but often times the target is actually a much more opportunistic mark.
Attackers are constantly mass-scanning the internet using a list of known vulnerabilities including misconfigurations, unencrypted logins, or missing patches (like in the Microsoft Exchange Server data breach). If an organizational vulnerability pops up on an attackers scan, they’ve just made themselves a target.
Why did you do fire drills in grade school? They were usually a pain, and often resulted in an hour of wasted class time and a teacher making sure a seven-year-old hasn’t got trapped in the toilet. But the point of the drill is to expose points of weakness, which the administration would work with teachers to rectify.
Often you might think you have a solid plan, only for a practice run to expose glaring holes—this is what a PenTest is designed to do, too. Trusted consultants use the same tools and methodologies as a bad actor would, meaning you’re getting a true estimation of whether or not the typical opportunistic hacker could get into your network. And further, if the worst were to happen, how much data could they get access to?
The result of a PenTest is a report that lists your vulnerabilities and ranks them in order of severity. This gives your team a chance to prioritize your risk, resolve identified gaps, and give customers and prospects confidence in your security.
Many organizations now require you to prove you are serious about your security before they can work with you. A PenTest is a great way to do this, not to mention that one is required for a number of certifications including PCI/DSS (for payment card data), HIPAA, SOC 2 and ISO 27001 certifications.
Perhaps the most straightforward result, PenTests can help you prevent a breach by identifying issues before they lead to one. No one wants to deal with an incident, and preventing one can save dollars in incident response, recovery, fines, and reputational damage.
What actually happens in a PenTest?
It is up to you to decide what level of access to give your tester, but a PenTest can be carried out in one of three ways:
Black Box: No information is provided to the tester, and no login credentials
Grey Box: Limited information is shared with the tester, usually login credentials
White Box: The tester has as much knowledge of your network as possible, including credentials and often access to the code (if permitted)
Each test can serve a different purpose. Generally, black box testing is focused on analyzing perimeter security (how easy it is to get into your software?) whereas white box testing is more comprehensive of the entire target.
Once you’ve decided what type of test to undergo, scoping of your test is required. Your provider will estimate how long it’s going to take to do a thorough examination of your target and write up a report. You’ll hand over the required information about the target, and your test will begin.
Say you’re testing a web application. The first phase is information gathering, where your consultant will dig through your application and its environments, identifying and mapping your assets, and generally conducting reconnaissance. The purpose of this is to understand the size of the attack surface, and number of possible entry points.
Second, the tester then works to see if there’s any weaknesses in your application. Have you left something unpatched? Does your application have a known vulnerability that is easily identifiable?
Next is the fun part…attack!!!! This is when your tester actually attempts to breach your application using a vulnerability they’ve identified. Once they get in, they will typically try to elevate their own privileges to determine the extent of the functionality and data they can access.
Your consultant will track everything they do and the results of everything they try throughout the course of the test. Following the test they’ll pass this record over to you, including a report that you can share with prospective clients or partners, compliance organizations, your engineering team, or maybe even your mother in law (if she’s into that kind of thing).
Despite penetration testing being a highly-skilled activity that provides someone with wholistic access to your infrastructure, there’s actually nothing stopping any Joe Shmoe with a laptop from setting themselves up as a vendor (terrifying, right?).
So when selecting your vendor, ensuring the responsibility of the organization and expertise of the testers is vital. The Council for Registered Ethical Security Testers (CREST) exists to train and accredit ethical testers, so you know you can trust your PenTester. Plus, the more knowledgeable a tester is, the further they will be able to reach inside your network on their hunt for vulnerabilities and provide specific and detailed reporting on any specific needs you have.
Scheduling and booking a test can be worse than a 50,000 word essay on how paint dries. Our partners at OnSecurity have made it quick and easy, so you can book your test online in just a few clicks and as few as 60 seconds.
Designed to work with agile organizations, they’ve eliminated the lengthly scoping questions and inflexible schedules. No rounding up to the nearest day or padding the estimated time, OnSecurity ensures that you can get a quote based on the actual time your test will take. Plus, the team reports findings as they test—so you don’t have to wait around while a tester spends days writing up a report before you can action their findings.
If your team is super speedy on deploying a fix, the OnSecurity team offers to retest any findings for free within a week of the end of the test. Fancy a chat? You can check out OnSecurity to get more information or get a quote instantly.