Pen Testing 101
What is a Penetration Test?
A penetration test (often abbreviated as “pen test”) is a simulated attack by a third-party meant to identify vulnerabilities in a company’s infrastructure, systems, and applications. A company can then use these findings to remediate any identified vulnerabilities.
Why are pen tests important?
- Prevent costly breaches: As attacks become more common and take on new forms, companies are increasingly relying on pen tests to identify and address potential security gaps. A review of cybersecurity breaches since 2011 found that the average cost of a cyber-breach, at a publicly-traded company, was $116mm. Some of the costliest breaches include Equifax in 2017 ($1.7 billion), Home Depot in 2014 ($298 million), Target in 2013 ($292 million), and Marriott in 2018 ($118 million).
- Strengthen customer trust: Customers may ask for you to perform an annual third-party pen test as part of their procurement, legal, and security due diligence.
- Put previous doubts to rest: A pen test can prove that previous application security issues, if any, have been resolved in order to restore customer and partner confidence.
- Get compliant: Pen tests are commonly required to comply with certain regulatory and compliance frameworks (SOC 2, GDPR, ISO 27001, PCI, HIPAA, FedRamp, etc.).
- Required by Providers: Are you planning on integrating with Services such as Google Workplace? If so, Google may require you to perform a penetration test in order to access certain restricted APIs.
What happens during a pen test?
Generally, a pen test occurs in the following stages:
Once you’ve engaged a pen test provider, you’ll need to determine the desired scope of a pen test, including which systems and scoping methods should be used. Because the pen tester could gain access to private information during the pen test, both parties should sign a non-disclosure agreement before the start of the pen test.
2. Information Gathering
Once you’ve agreed on the scope of your pen test, the pen tester will gather publicly available information to better understand how the company works. That could entail using web crawlers to identify the most attractive targets in the company architecture, network names, domain names, and a mail server.
3. Identifying Threats and Vulnerabilities
The pen tester will identify potential vulnerabilities in the scope of the pen test to create an attack plan. They will probe for vulnerabilities, open ports and other access points that may provide information about system architecture.
4. Exploiting Vulnerabilities
The pen tester will exploit identified vulnerabilities via common web app attacks such as SQL injection or cross-site scripting, and attempt to recreate the fallout that could occur from an actual attack. That typically means the pen tester will focus on gaining access to restricted, confidential, and/or private data.
5. Maintaining Exploits / Lateral Movement
As the pen tester maintains access to a system, (s)he will collect more data. The goal is to mimic a persistent presence and gain in-depth access. Advanced threats often lurk in a company’s system for months, or longer, in order to access an organization’s most sensitive data.
The pen testing firm typically provides you with an initial report of findings and provides you with an opportunity to remediate the discovered issues. After remediation is completed, the firm will once again attempt those known exploits to determine if the remediation undertaken by the company was successful in preventing future attacks.
7. Analysis and Reporting
The pen tester then creates a report summarizing:
- Exploitable vulnerabilities and the potential impact(s) of a breach (vulnerabilities should be ranked by risk level and type)
- Restricted, confidential, and/or private data that was accessed
- The duration of time that the pen tester remained undetected in the company’s systems
- Whether the vulnerabilities identified were remediated or not
The report should (1) outline the largest strategic threats from a business perspective (for management) and (2) describe technical threats that should be fixed by the company team (e.g. through security upgrades).
How much does a pen test cost?
The cost of a pen test is largely determined by the scope of your pen test, or the breadth and complexity of company systems. The greater the number of physical and data assets, applications / products, access points, physical office locations, vendors, and networks you have, the more expensive your pen test will likely be.
The cost of your pen test may also be affected by the length of pen test engagement, experience level for the third-party pen tester, tools required for the pen test, and the number of third-party pen testers involved.
What do I have to do to meet SOC 2 or ISO 27001 requirements for the pen test?
Generally speaking, you will meet SOC 2 and/or ISO 27001 audit requirements for sufficient evidence if (1) you perform a third-party pen test at least annually from a reputable vendor or firm, and (2) you make sure to identify and resolve identified critical and high risk vulnerabilities.
ISO 27001 requires that a company prevent the exploitation of technical vulnerabilities (control A.12.6.1, Annex A, ISO 27001:2013). Performing vulnerability scanning and analysis on your network and information systems identifies security risks, but won’t necessarily tell you if these vulnerabilities are exploitable. Therefore, it’s necessary to pair vulnerability scanning with a third-party pen test to provide the best evidence to your auditor that you’re aware of vulnerabilities and how they can actually be exploited in practice.
SOC 2 requires that a company conduct vulnerability scanning on a regular basis (as well as after any large changes that could result in new vulnerabilities) and take proper steps to address risks. The easiest to fulfill this requirement is to perform vulnerability scanning, rank risks resulting from these vulnerabilities, and take steps to mitigate the highest risks on a regular basis.
Additionally, the SOC 2 requires that a company test the effectiveness of internal security and compliance controls through a pen test or third-party security audit specifications, such as an ISO 27001 certification. However, ISO 27001 and other standards such as HIPAA also require a pen test, so in-directly the SOC 2 also requires an annual pen test.
What are the types of pen tests?
There are two ways you can think about pen tests: Test Design and Attack Methods.
Black box or “blind,” also known as an external pen test
Because the pen tester(s) are given no information about the environment they are assessing, black box tests simulate an attack by an outsider third party connected to the internet with no prior or inside knowledge of the company.
A “double blind” pen test is a specialized type of black box test. During “double blind” pen tests, the company undergoing the pen test ensures that as few employees as possible are aware of the pen test. A “double blind” pen test can accurately assess the internal security posture of your employees.
During a gray box pen test, the pen tester(s) is (are) given some limited knowledge of the environment that they are assessing and a standard user account.
Grey box tests imitate the level of access and information that a legitimate user of a client or partner who has an account would have.
During a white box pen test, the pen tester(s) is (are) given inside knowledge of the internal architecture of the environment they are assessing.
White box tests assess the amount of damage that a malicious current or former employee could wreak on the company.
An internal pen test is similar to a white box test. During an internal pen test, the pen tester is given a great deal of specific information about the environment they are assessing, i.e. IP addresses, network infrastructure schematics, and protocols used plus source code.
You can also request pen testers with expertise in specific attack methods if you believe your company is particularly vulnerable:
- Application tests, including mobile, software, and web applications.
- Network tests, including routing issues, firewalls, port scanning, FTP, and secure sockets.
- Wireless tests, including wireless networks, low security hotspots, and access points.
- Physical tests, including brute-force and on-site attacks to access physical network devices, and access points.
- Social engineering tests, including phishing attacks and impersonations meant to reveal sensitive information such passwords, business data, or other user data. Common attacks target help desks or sales representatives.
- Cloud tests, including cloud storage and document handling.
- Client-side tests, in which vulnerabilities in client-side software programs are exploited.
How do I select a penetration testing firm?
Each company’s security and compliance needs are unique. In general, you may want to consider the following:
Type of technical pen test
Pen tests differ in scope and test design.
For scope, you’ll want to consider whether you’d like a pen test of your entire company, a specific product, web applications only, or network/infrastructure only.
For test design, you’ll generally need to decide how much information you’d like to provide to pen testers. In other words, would you want to simulate an attack by an insider or an outsider?
Be sure to ask your provider for a clear statement of work that covers the following:
- Safety, including pen tester background checks and continuous security recertification
- Engagement Time Length
- Privacy Concerns
- Mutually Agreed Upon “Off Limits” Areas for Pen Testing, if any
- Number of attack vectors addressed
Ideally, your pen test should cover a wide variety of network, host, and application attack vectors. Examples include the OWASP Top 10, DDoS and DDoS, IDOR, remote code execution, DNS brute force, DNS Subdomain takeover, deprecated ciphers, and cross-site scripting.
Pen tester experience and team size
If certain attack vectors are important to your company, hire teams of pen testers with different specializations.
Additionally, you’ll want to look for pen testers with a mix of relevant technical training and practical experience. Relevant certifications include Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), and Offensive Security Certified Professional (OSCP).
If your company has a wide breadth of complex assets, you may want to find a pen test provider that will allow you to customize your entire pen test, including ranking the priority of assets, providing extra incentives for identifying and exploiting particular vulnerabilities, and assigning pen testers with very specific skill sets.
Make sure that your pen test provider has adequate insurance to cover the potential of compromised or breached data from pen testing.
Final Report Quality
You’ll want to establish strong report expectations that provide both (1) strategic, jargon-free advice for security that can be easily digested by management, and (2) ranked technical vulnerabilities with remediation suggestions, including specific instances. Key pen test metrics include issue / vulnerability level of criticality or ranking, vulnerability type or class, and projected cost per bug.
Ready for your first pen test? At Secureframe, we’re lucky enough to partner with many fantastic penetration test firms. After your pen test is complete, we’ll provide advice on how to interpret the results of your pen test and strengthen your company’s security posture. You can reach out to [email protected] if you’d like to learn more!