All you need to know about Penetration Testing

Provided that it is carried out and reported properly, a penetration test can give you the knowledge of nearly all of your technical security weaknesses and provide you with the information and support required to remove or reduce those vulnerabilities. The threat to key systems is ever increasing; and the probability of a security weakness being accidentally exposed or maliciously exploited needs to be continually assessed to ensure that the level of risk is at an acceptable level to the organisation.

For more information on pen testing please see our quick guide below. Or to speak to an expert, please feel free to call us on +44 (0)870 600 1667 or complete the contact form below.

A Quick Guide to Penetration Testing

  • Why Undertake a Pen Test?

    Research quoted by CREST has shown that effective penetration testing also results in other significant benefits to your organisation, which can include:

    • A reduction in your ICT costs over the long term;
    • Improvements in the technical environment, reducing support calls;
    • Greater levels of confidence in the security of your IT environments;
    • Increased awareness of the need for appropriate technical controls.

    Overall, penetration testing is not a cost but an investment in better information security and as such should not be regarded as an option. Rather, you are raking a diligent approach when you conduct regular penetration tests of your systems as the results of reports provide a valuable guide for optimizing system performance whilst ensuring that preventable vulnerabilities are addressed.

    A note of caution though: having accepted the need for regular penetration testing and review of reports, it is important to realise that the process is not a panacea for all ills that involve security.

    For example, our skilled penetration testers often undertake assignments where vulnerabilities that have been identified during previous tests have not been fixed, despite the advice given in the past. Organisations work to budgets and not everyone involved in management decisions is best placed to understand technical security vulnerabilities, especially if these will cost substantial amounts to fix. However, it is better to have the information about potential weaknesses than remain in ignorance. There is also the issue of past experience of penetration testing if the work has been carried out by testers who lack the rigour and professionalism of CREST-accredited penetration testing suppliers. Penetration testing performed to a consistently high standard will lead to reporting that is vital to the success of information security policies, processes and procedures. Whereas, results obtained from the wrong types of tests performed by unqualified individuals can be very misleading indeed. In other words, you need to use judgement when hiring penetration testing services and employees.

    The criteria that you should consider when scoping the requirements for a penetration test include: 

    • Determining the depth and breadth of coverage of the test 
    • Identifying the type of penetration test that is required
    • The number of IP addresses and applications to be tested 
    • Managing the risks associated with potential system failure and exposure of sensitive data 
    • Agreeing the targets and frequency of tests 
    • The need to ensure that by fixing the vulnerabilities uncovered in a penetration test, your system will be ‘secure’ – or at least resilient when subject to attack.

    How do you ensure that penetration testing is undertaken by appropriately-skilled professionals? Start by looking for the CREST logo as evidence of IT industry-recognised accreditations for both qualified penetration testers and the organizations that they work for, and then ask the following:

    • Should we hire a qualified penetration tester as a member of our cyber security team? or,
    • Would it be more appropriate to commission penetration tests from an external supplier?
  • Do-it-yourself or hire a penetration testing service?

    It is perfectly acceptable for organisations to carry out their own penetration tests, although it is strongly recommended that you employ a CREST-qualified penetration tester to carry out the work. The Payment Card Industry standard, PCI DSS, states that qualified internal resources or a qualified third party may perform the penetration test as long as they are “organizationally independent”

    [Source: Information Supplement: Penetration Testing Guidance, Penetration Test Guidance Special Interest Group, PCI Security Standards Council, Version 1.0, March 2015].

  • Types of Penetration Test
    There are three types of penetration tests: black-box, white-box, and grey-box. In a black-box assessment, the client provides no information prior to the start of testing. In a white-box assessment, the entity may provide the penetration tester with full and complete details of the network and applications. For grey-box assessments, the entity may provide partial details of the target systems.
  • How does a penetration test differ from a vulnerability scan?

    Definitions vary, although the differences between a penetration test and a vulnerability scan as defined by PCI Security Standards Council is helpful in setting out the purpose of each, as well as when tests should be conducted, how long they should take, and also how the findings are reported. See table here.

    While the reporting requirements in regard to Vulnerability Scans above are specific to the PCI DSS, the majority of the text appearing in the Table above forms a valid comparison in a general context. Perhaps the most notable difference is the duration. Engagements for high-end penetration tests can last for weeks and can grow in time and complexity if the penetration tester’s efforts uncover additional scope.

    Not surprisingly, the cost in time and fees is daunting to cost-conscious managers. However, without the involvement of an expert, the results can be sketchy and often unreliable. Hiring a skilled penetration tester has the potential to save your organisation time, money and a sizeable amount of reputational damage due to a security breach. Just running a vulnerability scan can help to identify security weaknesses. It may though throw up false positives that are confusing and misleading compared to the findings and recommendations set out in a penetration test report.


Ready to scope your pen test?

Click on the button below to send your pen test enquiry to one of our dedicated team

We will get in touch to discuss your requirements and can provide a quotation.

Contact Us

        


Whose Services Should You Select?

  • What experience is needed to be a penetration tester?

    Appropriate penetration testing certifications should be matched with evidence of experience of actual engagements that have been performed and the organisation’s training and QA processes should be designed to ensure that penetration testers are adequately qualified to conduct tests. References from other customers may be useful in consideration of this, along with case studies of assignments performed in similar environments to your own scope and target system technology.

    Likewise, you should consider what penetration testing experience the penetration tester or team has with the technologies in the target environment (operating systems, hardware, web applications, highly customized applications, network services, protocols, etc). If that technology has availability constraints, unstable system components, or large infrastructures, it is important to evaluate the tester’s ability to handle these restrictions – e.g. bandwidth constraints, time constraints, etc.

    Consideration should also be given to the other skills/qualifications that the penetration tester has that will contribute to their ability to assess the environment. Industry-standard qualifications, like the 7Safe certifications, will help in determining the specific type if experience that the tester has.

    Discussion of examples of network penetration testing, and application-layer penetration testing, where appropriate, are recommended. What type of experience does the penetration tester have? You may also want to determine the tester’s familiarity with testing to validate the OWASP Top 10 and other similar application secure-coding standards and discuss examples of application penetration testing conducted by the supplier.

  • Certifications for Pen Testers

    Start by requesting details of the penetration testing certifications. These are an indication of the skill level and competence of a penetration tester or company. While these are not required in most situations, they can indicate a common body of knowledge held by the candidate. Common penetration testing qualifications include:

    • CREST Penetration Testing Certifications
    • Offensive Security Certified Professional (OSCP)
    • Certified Ethical Hacker (CEH)
    • Global Information Assurance Certification (GIAC) Certifications (e.g., GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), or GIAC Exploit Researcher and Advanced Penetration Tester (GXPN))
    • Communication Electronic Security Group (CESG) IT Health Check Service (CHECK) certification.

Looking to brush up on your pen test skills?

Are you seeking to improve your cyber security skills?

Then see our industry accredited Ethical Hacking and Cyber Security training courses.

Find Courses


How to incorporate Penetration Testing into your Information Security

  • Penetration Testing as part of Security Management

    Penetration testing should be placed in the context of security management as a whole. To gain an appropriate level of assurance, a range of reviews should be conducted. These are often aligned to standards such as ISO 27001, COBIT or the ISF Standard of Good Practice.

    Whilst these standards reference penetration testing, they only do it from a management perspective - and systems that comply with these standards may not be technically secure. A balanced approach of technical and non-technical testing should therefore be taken to ensure the overall integrity of security controls.

    Organisations should not describe themselves as secure - there are only varying degrees of insecurity. When performing penetration tests, some organisations adopt an ad hoc or piecemeal approach, often depending on the needs of a particular region, business unit – or the IT department. Whilst this can meet some specific requirements, this approach is unlikely to provide real assurance about the security condition of your systems enterprise-wide. Consequently, it is often more effective to adopt a more systematic, structured approach to penetration testing, ensuring that:

    • Business requirements are met
    • Major system vulnerabilities are identified and addressed
    • Risks are kept within business parameters.
  • Procuring Penetration Testing Services

    Before penetration testing begins, it is recommended that the penetration testing companies being asked to submit estimates for the work involved should be provided with a specification to include:

    • The types of testing (i.e. internal, external, application-layer and network layer) to be performed;
    • How testing will be performed;
    • What the testing will target;
    • The scope of the environment to be tested.

    It is important however that the organization work with the tester, and where applicable in the case of PCI DSS and the Cyber Essentials Scheme, the assessor, to verify that no components are overlooked and determine whether additional systems should be included in the scope. The scope of the penetration test should be representative of all access points, critical systems, and (where appropriate) segmentation methodologies.

    Before the Penetration Test is conducted, it is important to determine the business requirements for a penetration test, considering the:

    • Drivers for testing, such as compliance, serious (often cyber-related) incidents, outsourcing, significant business changes and the need to raise security awareness;
    • Target environments to be tested, such as critical or outsourced business applications (and infrastructure), or those under development;
    • Purpose of testing (egg to identify weaknesses in controls, reduce incidents and comply with legal, regulatory or customer requirements).

    When planning and conducting the test, your penetration tester should work with you to:

    • Develop a detailed test plan that identifies the processes, techniques or procedures to be used during the test;
    • Conduct research, analysing information and performing reconnaissance;
    • Identify vulnerabilities (e.g. technical vulnerabilities or control weaknesses);
    • Exploit weaknesses (e.g. to gain unauthorised access);
    • Report key findings, in an agreed format in both technical and business terms;
    • Remediate issues, addressing identified vulnerabilities and associated ‘root causes’.

    An experienced penetration tester such as those employed by 7Safe will guide and support you through the above steps, making recommendations both verbally and in their report to this end.

  • Establish a management assurance framework

    Assure the quality of penetration testing, monitoring performance against requirements by setting up a management assurance framework that will help your organisation to more effectively:

    • Reduce risk (egg degradation or loss of services; disclosure of sensitive information);
    • Manage changes (egg to the testing scope or to the configuration of the target system);
    • Address problems, using a problem resolution process, to ensure that any issues are resolved satisfactorily, in a timely manner;
    • Agree scope, defined in a legally binding contract, signed by all parties prior to testing.
  • Agree the testing scope

    The scope of a penetration test includes:

    • The testing style (e.g. black box, where no information is provided to testers; white box, where full access is provided; or grey box, somewhere in between);
    • Determining the type of testing to be done, such as web application or infrastructure;
    • Assessing test constraints, due to legal, operational, timing or financial requirements.
  • Implement an improvement programme
    • Address weaknesses, including root causes, evaluating potential business impact;
    • Evaluate penetration testing effectiveness, to help determine if objectives were met and that value for money has been obtained from your supplier;
    • Identify lessons learned, and record them, to help avoid weaknesses recurring;
    • Apply good practice, beyond the target, across a wide range of other environments;
    • Create an action plan, to ensure remedial actions are prioritised, allocated to accountable individuals and monitored against target dates for completion;
    • Agree an approach for future testing, considering results from previous tests.