Adversaries are constantly looking for exploitable weaknesses. A penetration test, also known as “ethical hacking,” is when a cybersecurity expert employs the tactics, techniques, and procedures (TTPs) that hackers use to test your network’s ability to withstand attacks. By having a friendly expert probe for vulnerabilities, they are more likely to be discovered in the pen test than in an actual attack. To simply put it, better a trusted advisor to find them than a bad actor.
Though there are many reasons to perform penetration tests, the financial cost of a breach may be among the most compelling. Findings from the Ponemon IBM Cost of a Data Breach report discovered the average time to identify a breach in 2021 as 212 days with an additional 75 days to contain. That is an average of 287 total days for the lifecycle of a data breach. The findings also note that data breach lifecycles of more than 200 days had an average cost of $4.87 million, compared to $3.61 million when under 200 days.
Proactively searching for these weaknesses can reduce the risk of a breach and potentially eliminate the need for costly recovery measures. Because as we all know, the shorter the lifecycle, the smaller the cost to your organization.
The scope of pen tests varies, depending on the organizational need. Depending on an organization’s needs, any of these elements (and more) could be part of a thorough one-time penetration test:
The goal of a penetration test is to answer the question: Are we secured? Can we withstand social engineering or other attacks?
However, as the demand for penetration testing grows, so does the commoditization and dilution of the service offering. Deciding on a pen test provider can be a challenge when companies are using the same terminology to describe vastly different services, both in terms of quality and scope.
In other words, not all pen tests are not created equal.
Related Resource: Why Pen Tests are key to a Robust Incident Response Plan
*Ponemon IBM Cost of a Data Breach report
Planning and Reconnaissance: This phase determines the scope and timing of the test. It determines the testing parameters and when the test will begin.
Pre-Attack: Before carrying out an attack, the testers will gather intelligence and consider tactics, techniques, and procedures (TTPs) that may be useful for exploiting your vulnerabilities. This phase focuses on data collection as the hackers determine the most likely avenues for attack.
Attack: After determining potential vulnerabilities, the ethical hackers will begin the test. Depending on the scope of the test, there may be multiple approaches taken by the pen testers.
Post-Attack: Once the testing is complete, the testers will restore the system configurations and deliver a report of the test’s findings including vulnerabilities, remediation suggestions, and an analysis of the test’s conclusions.
A good cybersecurity firm should be able to offer a variety of pen tests to suit the specific needs of your company. Common varieties of pen tests include:
White Box Pen Tests: White box pen testing is useful for simulating a targeted attack by specifying which system the testers will target, utilizing as many attack vectors as possible.
Black Box Pen Tests: In contrast, a black box pen test is when the testers are provided with no information at all before beginning the test. The testers perform reconnaissance to break into the system using whatever vulnerabilities they can find.
Gray Box Pen Tests: Also known as a "transparent box test," a gray box pen test is when minimal information is supplied to the tester, such as login credentials. Gray box testing is useful for determining the extent of access a privileged user may have and the potential harm they could cause. Their ability to mimic an insider threat or a network perimeter breach offers a mix of depth and efficiency that can simulate an informed attack without the time-consuming reconnaissance.
OWASP: The inspection of online applications to uncover vulnerabilities described in the OWASP Top Ten is referred to as OWASP pen testing. These pen tests are intended to detect, securely exploit, and assist in the remediation of these vulnerabilities so that any flaws identified may be rectified promptly.
With pen testing, you often get what you pay for. There are plenty of discount-shop security companies that ostensibly offer penetration testing services at bargain rates. The problem is that these companies frequently use a checklist approach to their testing and apply a limited scope to your security needs.
And unfortunately, a one-size-fits-all approach to pen testing will almost certainly lead to lackluster results, including the failure to adequately address your business’s specific threat environment.
When pen testing is approached as just another item to cross out from cyber hygiene or project management checklists, the results will likely be insufficiently thorough. If the need to have completed a pen test replaces the actual purpose of conducting one, the test’s goal of catching and addressing security issues is compromised.
Unfortunately, as pen testing becomes more widely practiced cybersecurity hygiene, the market will continue to flood with check-the-box pen testing approaches. The market for cheap pen tests becomes a race to the bottom – companies offer increasingly diluted services, nominally called pen tests, that allow companies to feel as though they have done due diligence.
Even if the test looks official with the firm’s logo and letterhead (or presented in a customized package), make sure that you are receiving more than just a vulnerability scan wearing a pen test’s label. These tests cannot offer what a thorough, human-run pen test ought to provide.
Related Resource: Recovering from a Negative Pen Test
When choosing a penetration test service, how can you know that you are getting a thorough test?
In a quality pen test, there will be a combination of automated vulnerability scans and human testing that accurately simulates a real-world attack. Professional standards like PTES, PCI DSS, and NIST 800-115 define essential elements of a pen test, but most specialized firms will enhance these with proprietary methods to better emulate a bad actor and deliver better results.
Vulnerability scanning on its own is not a pen test, but it is all you may receive from some smaller firms. The two services are often confused for one another, and understandably so. Both are intended to identify the flaws in IT infrastructure by testing systems for often-exploited weaknesses. However, vulnerability scans use automated processes to check systems for known flaws while flagging possible risks.
Penetration tests, on the other hand, are designed to find flaws in an IT network's architecture and also estimate the likelihood of a hostile attacker gaining unauthorized access to a company’s assets. How different firms may go about conducting each of these services can vary widely depending on their levels of experience, operating budgets, or other factors.
Smaller businesses with limited resources may be compelled by the lower cost of an automated vulnerability scan – which is certainly better than doing nothing at all. However, it is worth the extra time and expense to have a penetration test performed by a human. Not only is it a best practice, but it is also necessary to remain in compliance with various security standards and requirements.
While vulnerability scans are useful for finding superficial vulnerabilities in your systems, they do not provide insight on what may be hidden inside your network or how multiple, lesser vulnerabilities could be combined to produce a more critical one. The hands-on approach of human-run pen testing means that expert analysts will explore the ways that vulnerabilities can be pieced together to exploit your systems.
In a human-run pen test, the tester and the user talk through the project and set up rules of engagement before performing the actual penetration test. While a vulnerability scan typically focuses only on web applications, a pen tester can take any approach and test whichever combination of resources that a client might want to have tested.
Human interaction also provides access to the knowledge and expertise of the penetration tester. While vulnerability scanners can provide plenty of insight, they are limited to how the information is conveyed in the report. With a human pen tester, you can ask specific questions about your environment and its vulnerabilities and receive highly contextualized answers and advice.
Social engineering covers a wide variety of attack strategies focused on the vulnerabilities revealed through human interaction. The purpose is to identify how an attacker could manipulate a person or a group to divulge personal information or sensitive data. It can show flaws in user behavior, such as failure to follow security processes, and helps to evaluate user knowledge of security.
Social engineering may be done in a variety of ways, including analog methods with in-person or over-the-phone interactions or digital approaches through social media, email, and other digital communication. Open Source Intelligence (OSINT) leverages information that is available to the general public to anticipate common patterns of attack. There are several social engineering techniques that attackers commonly use:
Phishing, Vishing, and Smishing: This refers to the practice of sending emails, phone calls, and text messages respectively to coax the recipient into revealing sensitive information like login credentials. When these practices are highly targeted, they are referred to as spear phishing, vishing, or smishing.
Baiting: Similar to phishing, baiting is when a promise of something valuable is used to motivate an unsuspecting user to reveal information.
Impersonation: An impersonation attack is when an attacker impersonates a trusted individual in order to steal sensitive data from a business. These attacks often target high-ranking executives.
Pretexting: Overlapping with impersonation, pretexting refers to when an attacker invents a scenario that creates a convincing reason for the recipient to reveal their information. This often takes the form of an impersonator asking the recipient to “confirm” their identity for a fabricated reason.
Related Resource: Social Engineering Q&A: How to Strengthen Your Weakest Link
In 2017, Equifax was the victim of a security breach that exposed the financial data of 148 million customers. A vulnerability in Apache Struts – a widely-used open-source web server – enabled a cybercriminal to install a web shell on Equifax’s computers. Using the access provided by this web shell, the attacker expanded their reach to internal systems and was ultimately able to access the sensitive financial data.
While a number of factors made the entire Equifax hack possible, the crux of the issue was that the Apache Struts vulnerability was unpatched on their systems. The Equifax breach occurred three months after a patch was released to address that vulnerability, and the Department of Homeland Security had even issued a warning that it was being actively exploited and should be patched as soon as possible.
So why didn’t Equifax apply the patch?
According to Graeme Payne, the former CIO of Equifax blamed for the breach, his security team thought that they had applied the patch. The team had scanned the affected servers and assumed that the vulnerability had been successfully addressed when they received a false-negative result from a misconfigured scanner.
Equifax’s team was relying on a tool-based test when they ran their vulnerability scan, and the tool found no vulnerabilities in their attack surface. However, a human attacker was able to look deeper and find a string of vulnerabilities that enabled them to perform an “entirely preventable” attack that cost Equifax nearly two billion dollars.
Related Resource: Why Pen Tests are Key to a Robust Incident Response Plan
In the world of cybersecurity, reputation and credibility are key. If a penetration testing organization lacks the skill sets, qualifications, and resources necessary to carry out your security testing, it is most certainly not a good fit.
Consider the approach of the pen tester – Any reputable penetration testing firm should take a systematic and thorough approach to pen testing. After meeting with the company’s testers to discuss the scope and methodology of your test, you should feel comfortable trusting the company's procedure.
Consider what other, complementary services the company offers – Security detection, defense, and incident response companies are also in a better position to help your long-term security goals. Working with a range of client verticals and organizational sizes, these specialists participate in frequent "Blue Team" and "Red Team" exercises.
Consider the background of the individuals performing the pen tests – Look for companies where the testers have varied experiences, extensive backgrounds, and certifications including:
Some questions you can ask a perspective pen test firm (not an extensive list):
What are the differences between penetration testing and vulnerability scanning?
Why should I hire a third party to perform penetration testing?
Which level of penetration testing is best for us? What are your options?
Should penetration testing include a human element or can it be done using tools alone?
Should I retest after remediation, do I have to hire a different firm?
How do you balance applying automated tools to the target vs manual processes and tools?
How often should I have penetration testing done when preparing for a HIPAA or PCI assessment?
What standards do you follow in your pen testing program, and does your firm have a framework?
Avertium’s penetration testers do not hurry through projects or clients, and they are accessible to help you plan your project and educate your staff. When you collaborate with Avertium's penetration testers, you are working with a committed, highly knowledgeable staff based in the United States with an extensive list of certifications and experiences.