Penetration Testing 101: A Guide to Testing Types, Processes, and Costs
Risk assessments, information security policies, annual compliance audits, certifications. Your organization dedicates a significant amount of time and resources into putting security processes in place to defend against external threats.
But how do you test those defenses in a meaningful way? A penetration test can act like a practice run to assess the strength of your security posture.
What is penetration testing?
With a penetration test, also known as a “pen test,” a company hires a third party to launch a simulated attack designed to identify vulnerabilities in its infrastructure, systems, and applications. It can then use the results of that simulated attack to fix any potential vulnerabilities. It’s one way organizations can evaluate and strengthen their overall security posture.
Pen testing may seem like an unnecessary step in an already lengthy compliance process, but the benefits are usually well worth the extra time and effort. Here are a few advantages of penetration testing:
Prevent costly breaches
As attacks become more common and take on new forms, companies are increasingly relying on security testing to identify and address potential security vulnerabilities.
A review of cybersecurity breaches since 2011 found that the average cost of a cyber attack at a publicly traded company is $116 million. Some of the costliest breaches include Equifax in 2017 ($1.7 billion), The Home Depot in 2014 ($298 million), Target in 2013 ($292 million), and Marriott in 2018 ($118 million).
Strengthen customer trust
Customers may ask for you to perform an annual third-party pen test as part of their procurement, legal, and security due diligence.
Put doubts to rest
A pen test can prove that previous application security issues, if any, have been resolved in order to restore customer and partner confidence.
Assist with compliance
Pen tests are commonly required to comply with certain regulatory and compliance frameworks, including SOC 2, GDPR, ISO 27001, PCI DSS, HIPAA, and FedRamp.
Satisfy provider requirements
Are you planning on integrating with services such as Google Workplace? If so, Google may require you to perform a pen test in order to access certain restricted APIs.
Recommended reading
Essential Guide to Security Frameworks & 14 Examples
What happens during a penetration test?
Now that we’ve covered what penetration testing is and why it is important, let’s get into the details of the process.
First, who performs penetration testing?
With pen tests, you’re essentially inviting someone to try and break into your systems so that you can keep other people out. Using a pen tester who doesn’t have prior knowledge or understanding of your architecture will give you the greatest results.
That’s why pen tests are most often conducted by outside consultants. These security experts are trained to identify, exploit, and document vulnerabilities and use their findings to help you improve your security posture. Most pen testers are security consultants or experienced developers who have a certification for pen testing. Penetration testing tools like NMap and Nessus are also available.
Next, how is penetration testing done? Generally, a pen test follows these steps:
The penetration testing process
Scoping
Which operating systems and scoping methodologies will be used in your penetration test? Because the pen tester could gain access to private information in the course of their work, both parties should sign a non-disclosure agreement before starting the pen test.
Gathering information
Once you’ve agreed on the scope of your pen test, the pen tester will gather publicly available information to better understand how your company works. That could entail using web crawlers to identify the most attractive targets in your company architecture, network names, domain names, and a mail server.
Identifying threats and vulnerabilities
The pen tester will identify potential vulnerabilities and create an attack plan. They’ll probe for vulnerabilities and open ports or other access points that may provide information about system architecture.
Exploiting vulnerabilities
The pen tester will exploit identified vulnerabilities via common web app attacks such as SQL injection or cross-site scripting, and attempt to recreate the fallout that could occur from an actual attack. That typically means the pen tester will focus on gaining access to restricted, confidential, and/or private data.
Maintaining exploits/lateral movement
As the pen tester maintains access to a system, they will collect more data. The goal is to mimic a persistent presence and gain in-depth access. Advanced threats often lurk in a company’s system for months (or longer) in order to access an organization’s most sensitive data.
Remediation
The pen testing firm typically provides you with an initial report of their findings and provides you with an opportunity to remediate any discovered issues. After remediation is completed, the firm will once again attempt those known exploits to find out if those fixes are sufficient to prevent future attacks.
Analysis and reporting
The pen tester creates a final report summarizing:
- Exploitable vulnerabilities and the potential impact(s) of a breach. Vulnerabilities should be ranked by risk level and type.
- Restricted, confidential, and/or private data that was accessed.
- The duration of time that the pen tester remained undetected in the company’s systems.
- Whether the vulnerabilities identified were remediated successfully.
Ultimately, this report should cover two things: outline the largest strategic threats from a business perspective (for management) and describe technical threats that should be fixed (e.g. through security upgrades).
What are the types of penetration testing?
There are two general ways you can think about pen tests: Test Design and Attack Methods.
Types of pen testing
Test design
Black box or external pen test
Because the pen tester(s) are given no information about the environment they are assessing, black box tests simulate an attack by an outside third party connected to the internet with no prior or inside knowledge of the company.
Double-blind test
A “double-blind” penetration test is a specialized type of black box test. During double-blind pen tests, the company undergoing the pen test ensures that as few employees as possible are aware of the test. This type of pen test can accurately assess the internal security posture of your employees.
Gray box test
During a gray box pen test, the pen tester is given limited knowledge of the environment that they are assessing and a standard user account. With this, they can evaluate the level of access and information that a legitimate user of a client or partner who has an account would have.
White box test
During a white box pen test, the pen tester is given inside knowledge of the internal architecture of the environment they are assessing. This allows them to determine the damage a malicious current or former employee could inflict on the company.
Internal pen test
An internal pen test is similar to a white box test. During an internal pen test, the pen tester is given a great deal of specific information about the environment they are assessing, i.e. IP addresses, network infrastructure schematics, and protocols used plus source code.
Attack methods
You can also request pen testers with expertise in specific ethical hacking methods if you believe your company is particularly vulnerable. Here are a few penetration test examples:
- Application tests, including mobile, software, and web applications.
- Network tests, including routing issues, firewalls, port scanning, FTP, and secure sockets.
- Wireless tests, including wireless networks, low-security hotspots, and access points.
- Physical tests, including brute-force and on-site attacks to access physical network devices and access points.
- Social engineering tests such as phishing, designed to trick employees into revealing sensitive information, usually via phone or email.
- Cloud tests, including cloud storage and document handling.
- Client-side tests, where vulnerabilities in client-side software programs are exploited.
How much does a penetration test cost?
The cost of a penetration test is largely determined by the scope and complexity of the company’s systems. The greater the number of physical and data assets, computer systems, applications/products, access points, physical office locations, vendors, and networks you have, the more expensive your penetration test is likely to be.
The cost of your pen test may also be affected by the length of the engagement, level of experience of the pen tester you choose, the tools required to complete the pen test, and the number of third-party pen testers involved.
Alex Lauerman, Founder & Principal Security Consultant at TrustFoundry, explains: "Penetration testing can cost anywhere from $1,000 or less for an extremely narrow scope, and up to $100,000 or more for a very large vulnerability assessment. The biggest and most expensive security assessments often contain multiple components, such as network penetration testing, application penetration testing, and mobile penetration testing.”
According to Lauerman, the majority of pen tests cost between $5,000-$20,000, with the average being between $8,000-$10,000.
Do SOC 2 and ISO 27001 require a pen test?
The short answer is: most of the time.
Generally speaking, you will meet SOC 2 and ISO 27001 audit requirements for sufficient evidence if you perform a third-party pen test with a reputable vendor at least annually, and you make sure to identify and resolve any critical and high-risk vulnerabilities that are identified.
SOC 2 pen testing requirements
While a pen test is not an explicit requirement for SOC 2 compliance, almost all SOC 2 reports include them and many auditors require one. They are also a very frequent customer request, and we strongly recommend completing a thorough pen test from a reputable vendor.
In cases where auditors don't require you to have a third-party pen test completed, they will still typically require you to run vulnerability scans, rank risks resulting from these scans, and take steps to mitigate the highest risks on a regular basis.
ISO 27001 pen testing requirements
ISO 27001 requires companies to prevent the exploitation of technical vulnerabilities (control A.12.6.1, Annex A, ISO 27001:2013). Performing vulnerability scanning and analysis on your network and information systems identifies security risks, but won’t necessarily tell you if these vulnerabilities are exploitable.
You’ll need to pair vulnerability scanning with a third-party pen test to provide sufficient evidence to your auditor that you’re aware of vulnerabilities and understand how they can be exploited.
The Ultimate Guide to SOC 2
How to select a penetration testing firm
Every company’s security and compliance needs are unique, but here are a few tips and best practices for selecting a pen testing firm:
Type of technical pen test
Pen tests differ in scope and test design, so be sure to discuss both with any potential pen testing firms. For scope, you’ll want to consider whether you’d like a pen test of your entire company, a specific product, web applications only, or network/infrastructure only.
For test design, you’ll generally need to decide how much information you’d like to provide to pen testers. In other words, do you want to simulate an attack by an insider or an outsider?
Transparency
Ask your provider for a clear statement of work that covers the following:
- Safety, including penetration tester background checks and continuous security recertification
- Engagement time period
- Privacy concerns
- Mutually agreed upon “off limits” areas for pen testing, if any
- Number of attack vectors addressed
Ideally, your penetration test should cover a wide variety of network security, host, and application attack vectors. Examples include the OWASP Top 10, DDoS and DDoS, IDOR, remote code execution, DNS brute force, DNS Subdomain takeover, deprecated ciphers, and cross-site scripting.
Pen tester experience and testing team size
If certain attack vectors are important to your company, hire teams of pen testers with different specializations.
You’ll also want to look for pen testers with a mix of relevant technical training and practical experience. Relevant certifications include Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), and Offensive Security Certified Professional (OSCP).
Flexibility
If your company has a range of complex assets, you may want to find a provider that can customize your entire pen test, including ranking asset priority, providing extra incentives for identifying and exploiting particular security flaws, and assigning pen testers with specific skill sets.
Liability insurance
Make sure that your pen test provider has adequate insurance to cover the potential of compromised or breached data from pen testing.
Final report quality
You’ll want to establish strong report expectations that provide both strategic, jargon-free security advice that’s clearly explained, and ranked technical vulnerabilities with suggestions for remediation, including specific instances. Key penetration test metrics include issue/vulnerability level of criticality or ranking, vulnerability type or class, and projected cost per bug.
Ready for your first pen test?
We’re lucky enough to partner with fantastic penetration testing services. After your pen test is complete, we’ll provide advice on how to interpret the results of your pen test and strengthen your company’s security posture. Request a demo or reach out to sales@secureframe.com if you’d like to learn more.