There are endless possibilities in ways to maliciously hack into a system. One common method of ethical hacking is a penetration test. A penetration test, (pen test) is exactly what it sounds like, testing a system by trying to penetrate its security. However, beyond the obvious descriptive name, not many people stop to think about what a penetration test is and what it entails?
What is a penetration test exactly? How is it performed? What are the results of a successful penetration test? And what should IT managers look for when ordering a penetration test? These are important questions for all cyber security responsible persons.
What is a Penetration test?
Penetration testing is an exercise of breaking into your own home to prevent burglaries, only in this case the “home” is your computer system. In other words, penetration testing is a process of attacking an organization's computer systems to test the security of the systems. The goal of penetration testing is to find vulnerabilities in the systems that can be exploited by cyberattackers. Penetration testing helps organizations identify and fix vulnerabilities before they are exploited by cybercriminals.
So how does one actually go about attacking their own computer systems? Does a Penetration test have a defined method? Unfortunately no, penetration testing is not a defined method or protected title, and there is no patent on penetration Test services. A Google search will not result in one definition. In general penetration testing is defined along the lines of ‘a method of attempting to or simulating a breach in a systems security using the same tools and techniques of an adversary to gain insights into the vulnerabilities of the system.’
The broad definition of penetration testing means that many different methods and techniques can be described as a penetration test, leaving a wide range of results. Everything from automated web applications to a highly experienced security advisor manually testing can be described as a penetration test. This means that choosing the right type of penetration test can be difficult. But more on that in a moment, first, you should know, why you would want a penetration test.
Why a penetration test?
The main purpose of penetration testing is for businesses to uncover vulnerabilities to make proactive countermeasures before bad actors can exploit them. But why would a business pay for a service to find its own vulnerabilities?
Penetration testing has several benefits, including:
Improving the performance, predictability, and capacity of your application with a set of security profile tests.
Testing your capabilities to deal with cyberattackers, their malicious activities, and their automated activities.
Simplifying business processes as it can identify security vulnerabilities and other hazards that could cause downtime or loss of access.
Building trust and credibility of your stakeholders.
Penetration tests can also provide insurance for investors wanting to secure their investments. Penetration testing can also be required by stakeholders or government regulations.
As cybersecurity breaches and compliance mandates continue to increase, more third-party penetration testing services have emerged to meet the new demand. Knowing that the challenge becomes selecting the right one for you.
Choosing the Right Penetration Test Service
As mentioned earlier, penetration testing has a broad range of methods that provided an even broader range of the quality of results. Selecting the right security consulting services depends on your specific project needs. Before choosing a consultant, it’s important to decide what kind of test you need - and what part of your infrastructure that you want to be assessed.
For example, you’ll probably want different testing if you’re doing a training exercise vs. an actual attack simulation. Be sure to discuss the following concepts with all potential penetration test companies:
Scope of work: network assets, applications, and/or devices
Objective
Project type: red team, penetration test, application security assessment
Testing techniques: black box, gray box, white box
Testing approach: static analysis, dynamic analysis
Testing environment: production, testing, staging, single-tenant, multi-tenant
Methodology
Results
In most cases, there isn't an official mandate that dictates a web application penetration test provider (or you) must follow before one can call their service (or set of services) by a specific name. That said, some vendors will brand a service as "web application penetration test", while others will brand the same service as "web application scanning".
But simply choosing the most expensive or complicated penetration test service, does not necessarily mean the penetration test will provide the most comprehensive methods or results. However, a good penetration test should include:
1. An assessment
2. Team experience (evaluated by certifications)
3. Senior consultant with 5 years of experience
4. Methodology
5. Reporting
Choosing the Right Penetration Test Vendor
Having decided what kind of service is best, you should next decide which vendor is best. As with penetration testing services, there are a wide range of penetration testing vendors available. When evaluating vendors, it is important to carefully evaluate the testing team’s skillset, and experience, as well as carefully evaluate the service’s procedures, and reporting.
Evaluate The Team’s Skillset
No two penetration testing teams are built the same. Many groups perform basic tests that are done with a penetration testing tool and then package such a customized service for marketing purposes.
However, this is something your own internal security team could accomplish by using the same tools, so it’s important to find and partner with a firm that has experts who can tailor their tests to fit your exact needs and vision in such areas (and even offer advice on what types of specific tests accomplish these goals best).
There are many ways to evaluate skill sets.
Many testers have degrees in computer science or engineering, and often there are certificates demonstrating their advanced knowledge and skills.
Some of the most important ones include Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE). A team that keeps their skills up to date is critical for any project that needs quality, penetration testing is performed to ensure vulnerabilities aren't missed.
Previous Experience Of The Team Is Necessary
Testing teams are typically made up of two or three practitioners working together.
In most cases, a senior consultant will lead the effort and be your primary contact. As a business, you want a senior consultant to have at least five years of experience, solid technical skills, and the ability to deal with changing test conditions. This level of experience enables them to deal with multiple types of environments and identify threats in a very limited timeframe.
For the other members of the team, it’s a good idea to discuss what they are best at and where they have the most experience.
Definitive Process Of Penetration testing
One of the best ways to determine the quality of a third-party service is by its procedures. One area that falls under this category would be penetration tests.
Before trusting these firms with your sensitive data, make sure that they are qualified, have security procedures in place, and undergo some form of screening before being contracted out to you. The key here is to know what you're looking for, as a company, as well as be involved in some form of interviewing so that you can get to know your potential testers better before making any decisions about working together.
Once you know who will be doing the testing, you’ll want to know how they’ll go about it. Any firm you consider should provide a proposal that details:
Scoping
Project methodology
Team selection
Rules of engagement
Reporting
Handling of PII data management
Escalation
Reporting
Reporting is one of the most important aspects of a penetration test and can help you decide if your security team will be able to follow through successfully on all their hard work. Your report needs not only to summarize what the tests were based on but also how to properly remediate them, so your problems don't resurface again in the future.
It is also very important that they present all findings clearly, including reproducing steps, tools used during your project, and techniques used by the previous client's security team to solve each problem as soon as possible and without undue delay.
An important element of reporting which should be considered by everyone who doesn't want to get involved in hacking is comparing sample reports from different companies based on some discernible elements such as structure or mention details (for example OS or exploits used).
Finally, a friendly reminder, when choosing a vendor for any type of service remember to:
Do your research. Make sure you choose a reputable company with a proven track record.
Ask for references. Talk to other companies that have used the penetration test services and get their feedback.
Read the contract carefully.
Conclusion
The broad definition of penetration tests and the increasing number of services and providers is a challenge for cyber security professionals. Especially since the wrong service with the wrong vendor is not only as a waste of resources, but it could do considerable harm if it provided a false sense of security. Knowing WHY you want a penetration test, and WHAT you want from a penetration test is essential to finding the right service with the right provider. But with an answer to these questions and by following the tips above, and penetration test with a good vendor is an invaluable tool for increasing your company's cyber security.