There are no two ways about it: useful penetration testing requires the services of security professionals who understand how to hack networks and systems. That not only means trusting this team with access to your technology environment, but also trusting in their ability to find what an attacker would find (via their largely self-directed security tests).
That can create a major challenge in evaluating penetration testing services. The first step is in understanding exactly what the testers are expected to do and what the company is supposed to be getting out of it. At the broadest possible level, the goal of penetration testing is to identify and demonstrate actual existing vulnerabilities in a network; things that could also be discovered and exploited by a determined and skilled attacker, right this minute.
… useful penetration testing requires the services of security professionals who understand how to hack networks and systems
This provides concrete evidence that can be taken to organizational management to prompt necessary defensive changes to protect the network. The vulnerabilities that penetration testing uncovers are not a case of “we might be breached,” but “we WILL eventually be breached in these specific ways if these specific holes are not patched up.”
From there, you move into penetration testing types and methodologies. Pen testing is not a “one size fits all” system by any means, and the approach used needs to be tailored to both organizational needs and the current network and security setups. Test scheduling also needs to be considered. For example, if a company is developing apps, it may be ideal to test those apps multiple times during the development process.
Sometimes organizations have IT security staff on hand that possess the ability to conduct penetration testing, but it’s more common to go to a third-party testing service with a good reputation for their testing solutions. Typically, compliance requirements will also demand the use of independent third-party service providers for such security assessments.
What is penetration testing?
A penetration test involves a qualified security professional essentially playing the role of a hacker looking to break into a system by detecting and exploiting security vulnerabilities. The tester will use actual techniques used by criminal hackers to analyze defenses and attempt to break through them, deploying a mix of automated tools and manual attempts to overcome security.
So who do you trust with this highly sensitive task? A market of “ethical security testers” has developed to fill this unique need for the emulation of real world attacks.
Penetration testers do not do damage to company systems while in the testing process, and will attempt to leave no trace of their presence.
The goal of the exercise is not to assign blame or catch anyone in some sort of security lapse. The focus is on stress testing security measures in the same way an unethical attacker would, to see where all the holes and soft spots that can be used to gain access are: things like misconfigurations, vulnerabilities in software or hardware that have not yet been patched out, and automated security measures that may not be working properly. Any security issues are then documented, and passed on to your information security teams to use in bolstering the network’s defenses.
Why penetration testing is important
Penetration testing is often the most effective way to identify application and network security vulnerabilities that would otherwise go unnoticed (at least until exploited). It’s an infrequent piece of the security management pie, generally conducted once a year by the average organization, but an extremely important one.
Penetration testing is often the most effective way to identify application and network security vulnerabilities …
In addition to finding the places to direct security patches and bulwark against cyber attacks, pen testing can also provide organizations with an opportunity to test their cyber incident response plans. It’s the most realistic drill available, and the one that provides security teams and management with the most useful assessment of how well the plan can be expected to work in a crisis.
There is another type of service called “vulnerability scanning” that costs significantly less, but is not the same as engaging ethical hackers as proper penetration testers to really work on security posture. We’ll get into the differences in greater detail in a later section, but the key distinction is that penetration testing involves having an actual human think on their feet to attempt a cyber attack or a data breach. This exposes holes that would not be picked up by automated security testing.
How often should you do penetration testing?
The general recommendation for penetration testing services is at least once per year. That’s a minimum standard, however, and some organizations will want to conduct pen testing more often.
For example, organizations often add a one-time test to this schedule for specific disruptive events that are likely to cause misconfigurations or failures of security controls. These can include the installation or upgrade of network infrastructure and enhancement of applications, the movement of employees to remote work schedules and/or cloud services, or the opening of a new office.
Some organizations benefit from a quarterly, monthly or even weekly schedule. It all depends on how often (and how hard) they anticipate being attacked. For example, a defense contractor or a bank is going to be fielding many more cyber attacks than a local coffee shop or a towing company.
Both the number and the expected severity of cyber threats depend on a number of different factors. Is the organization holding data that is valuable for sale in the criminal underground? Is it a potential target for espionage conducted by a foreign nation? Has it been receiving some sort of bad press? Does it need to conduct frequent security patching? Is it subject to special compliance requirements, or does it operate in multiple countries with strong compliance laws? Is it growing and expanding quickly?
It can be tough to determine an exact level of risk and assign it a corresponding schedule. In some cases, it helps to look at the potential damage to revenue. How much will be lost to fines, lawsuits, business disruption, loss of confidential information, and asset theft if a vulnerability is exploited?
Penetration testing vs. vulnerability scanning
We touched on vulnerability scanning a little earlier. Let’s expand on exactly what it is, and how is it different from penetration testing.
A vulnerability scan basically removes the element of human ingenuity from the security testing process. This service is an automated scan for known vulnerabilities that have not been patched or otherwise secured.
That isn’t to say it isn’t a useful element of cyber security strategy. It’s an effective way to check a network for tens of thousands of published vulnerabilities in a short amount of time. It also costs a lot less than penetration testing, so it’s easier to do on a more regular schedule. Be wary of vendors that offer penetration testing services but are only running a vulnerability scan.
Pen testing and vulnerability scanning both have their place in security testing strategies …
There are some definite limitations to vulnerability scanning, though. First, it can only identify known software and network security vulnerabilities. It won’t catch all of the sorts of openings that highly skilled hackers might creatively exploit. Penetration testers will use a wider range of tools and techniques, and those that are tailored to the individual composition of each network.
It also usually generates at least some amount of false positives. This means IT security man-hours spent in manually checking vulnerabilities to see if they are actually exploitable, so the price on the sticker is not really the entire cost.
Pen testing and vulnerability scanning both have their place in security testing strategies and the overall security management program, however. Vulnerability scanning can be run more often to help ensure that necessary security patching is being kept up with. But to fully secure systems and significantly reduce risk exposure, it should be supplemented with a penetration test at least once per year.
Types of penetration testing
As was mentioned at the outset, there are different types of penetration testing. The pen tester will generally tailor their approach to the composition of the network, the organization’s security objectives and any compliance requirements it needs to meet.
A pen test can be targeted at specific components of your technology environment:
- Network penetration tests explore network infrastructure, such as servers and network devices, to find unpatched vulnerabilities and other potential openings.
- Wireless penetration tests focus on gaining access to the organization’s WiFi network as an unauthorized user.
- Web application penetration testing focuses on custom-developed web applications, which could have vulnerabilities introduced by both in-house or outsourced developers.
- Mobile application penetration testing is similar to web testing, focusing on the possible vulnerabilities in an organization’s custom-developed mobile apps.
Tests can cover different depths of compromise, from simulating a hacker with no authorized access to an insider with full information about the environment:
- Black-box penetration testing simulates an attack in which the hacker does not already have access to any user accounts.
- Gray-box penetration testing simulates an attack in which the hacker has already acquired some sort of user credentials.
- White-box penetration testing provides the pen tester with full information access, including a review of source code.
You can also specify where on the network the penetration tests should be conducted:
- Internal penetration testing is executed from within the organization’s network perimeters.
- External penetration testing is executed from outside the organization’s network perimeters, typically the public internet.
Different security objectives can be met by different combinations of target, depth and location. For example, if you have an ecommerce website, you will likely be looking at an external web application gray-box penetration test. This will help you determine if a hacker that signs up as a user on your ecommerce platform can abuse your application.
Different security objectives can be met by different combinations of target, depth and location …
Not all of these types of pen test are germane to every real world situation. A network pen test is something that just about any organization can use, but those that do not develop web or mobile apps generally do not need those. Different situations also call for different depths of testing in terms of black-, gray- and white-box approaches, and internal versus external access.
Network penetration testing
Network penetration testing will likely be a core requirement of any compliance standards that an organization is required to meet.
The test is focused on vulnerabilities on network and security devices, servers or user workstations. Pen testers will look for issues at the operating system level as well as commonly used software installed on the servers.
Wireless penetration testing
Wireless penetration testing deploys a variety of techniques to try to gain unauthorized access to an organization’s WiFi network. The most basic approach is to simply “sniff” the traffic between WiFi networks and end users to look for unprotected connections, or connections with weak and breakable encryption.
The key objective here is to determine if a hacker is able to bypass the organization’s secured network perimeter and gain “over-the-air” access to the internal network and resources.
Web application penetration testing
Website penetration testing involves the probing of a company’s web applications to find vulnerabilities. The web application penetration tester may do this at various points in the software development process to ensure security is “baked in” to the final product to protect sensitive data.
Web applications are generally tested from the outside, with security professionals playing the role of a real world hacker probing the internet for openings. It is common for hackers to exploit web applications as a point of entry into the organization’s internal network.
It is common for hackers to exploit web applications as a point of entry into the organization’s internal network …
This is one of the more involved branches of pen testing as it encompasses a very broad range of approaches, and may require some knowledge of programming languages. Some common examples of testing technique include trying SQL injection attacks, cross site scripting, and exploiting vulnerabilities in open source elements.
Mobile application penetration testing
As with web application penetration testing, mobile application security is usually tested during various stages of development. This can include elements such as reverse engineering, and the use of various common development and hacking tools to attempt unauthorized access.
Typically, mobile applications will connect to web services or a server-side API on a server. Besides testing the application on the mobile device, the pen tester will also test the web services and APIs.
Black-box penetration testing
An ethical hacker performing a black-box penetration test plays the role of the typical hacker outside of the system, probing for access but with no credentials or other known points of exploitation as of yet.
This option is the closest to the “real world” scenarios that security teams face every day.
Gray-box penetration testing
A gray-box test gives the penetration tester a head start by providing them with some sort of login credentials, simulating an insider threat or a situation in which an employee has been phished or social engineering has been used to gain access.
This is helpful for organizations in mapping internal security deficiencies related to privilege escalation, and it also allows for some level of inside access to web and mobile applications in development.
White-box penetration testing
White-box pen testing is, as you might guess, the opposite end of the spectrum from the black box testing process. The pen tester is given the access level of a privileged user, and typically handed source code to review.
White box penetration tests look for things like the possibility of a high-level employee account becoming compromised or going rogue, or an insider introducing vulnerabilities into mobile or web applications.
Internal penetration testing
An internal pen test is suitable for determining if your internal systems are exposed to potential insider threats. It is also useful for simulating a scenario where the hacker has already acquired some sort of employee credentials and is in the network with some level of access, as they attempt to move laterally.
External penetration testing
External network penetration testing is more common as it is usually a requirement to meet various compliance standards, and the focus is on the defensive perimeter rather than what happens after an attacker manages to obtain privileged access.
Penetration testing methodologies
While a key feature of penetration testing is in giving the testers freedom to be creative in their approach, there are nevertheless some methodologies and frameworks that are used as an overall guide.
- Open Source Security Testing Methodology Manual (OSSTMM): One of the most common of these is the OSSTMM. This methodology is very popular as it is maintained by a peer-reviewed security research community, incorporates various regulations and laws, and can be easily customized to each organization’s needs.
- Penetration Testing Execution Standard (PTES): Another widely used methodology is the PTES, which also encompasses the entirety of the pen testing process. This standard provides guidelines for everything from the initial process of scouting and gathering intelligence about the attack surface, to the organization’s recovery plan and reporting of any unauthorized access.
- Open Web Application Security Project (OWASP): As a nonprofit organization for software security, OWASP publishes and maintains several security testing guides and is very popular specifically for web application penetration testing, as the name implies, but it also includes guidelines for mobile app and firmware security testing.
- Information System Security Assessment Framework (ISSAF): The ISSAF is a highly structured standard requiring the penetration tester to painstakingly plan and document the entire penetration testing process. While the methodology is comprehensive, it’s no longer actively maintained and may be a little outdated.
Penetration testing process
As the common use of established methodologies indicates (often mandated by compliance requirements), there is an overall structure to the process of good penetration testing even if the security team conducting it tries unconventional approaches to finding entry points.
… there is an overall structure to the process of good penetration testing even if the security team conducting it tries unconventional approaches
6 phases of penetration testing
A comprehensive penetration test generally takes place in six phases.
- Pre-engagement interaction: This is the introductory phase that begins with the organization briefing pen testers on their overall security goals, any compliance requirements, desired methodologies, limitations on the simulated conditions, and the general schedule for testing to unfold. The testing teams may arrange an opening with a white/gray box test to evaluate internal conditions prior to attempting a penetration from the outside.
- Reconnaissance / Intelligence gathering: The penetration testers begin probing and scouting the organization for potential entry points. This almost certainly involves looking up any public information and poking at public-facing internet elements, but can also extend to attempt to social engineer employees and even perform actions at physical locations.
- Threat modeling / Vulnerability identification: In this phase, the testers have identified and mapped out potential weaknesses and are forming their plans for exploitation; not just the actual ways to gain access, but what information of value is in the network and should be prioritized.
- Exploitation: Having identified a list of soft spots in the previous phase, the tester begins trying exploitation methods against them. This process will be carefully documented by a quality testing outfit, particularly methods that are successful in finding open paths of unauthorized access.
- Post-exploitation: The testing teams now prepare a final report on vulnerabilities found in the network, and any applicable recommendations for addressing them. A good tester should also “leave no trace” by patching up anything they may have used to breach systems, such as resetting configuration settings they may have altered.
- Reporting: The penetration test ends with the final deliverable of a report tailored to the client’s needs. This often includes an at-a-glance overall risk rating that expresses both the risk of compromise, and the expected level of damage should a compromise occur. Recommendations for remediation often come in an easy-to-read “roadmap” of suggested changes for a period of one to several months.
Rules of engagement for penetration testing
Penetration testing teams are generally encouraged to be creative and even ruthless in their vulnerability assessments. However, organizations can (and do) often set limitations on them before the test begins.
Penetration testing teams are generally encouraged to be creative and even ruthless …
In addition to specifying the types of testing to be used, organizations often schedule the testing for specific windows so as not to interrupt regular business. Testers are also required to agree to rules about how any sensitive information they encounter is to be handled. Organizations can also specify elements and testing scenarios (such as a zero-day) that are to be avoided, or specific URLs or IP addresses that are off-limits.
General rules of engagement will have penetration testers follow the common requirements below:
- Adhere strictly to all applicable laws and regulations pertaining to the conduct of security testing and the protection of customer and personal data.
- Do not deviate from the customer engagement parameters specified in the scope of work and the test plan, including test window, test scope, exclusions and limitations.
- Do not test any third-party services unless explicitly specified for the engagement.
- Do not conduct any attacks or activities that degrade, disrupt or deny any of the customer’s services.
- Do not collect or store any personal data (e.g. employee PII) and sensitive customer information (e.g. financial reports).
- Conduct all engagements under strict non-disclosure requirements as specified under the engagement agreement; and do not disclose any engagement-related information outside of the penetration testing team and to external parties.
- Before attempting certain tests that may result in a breach of the rules of engagement, consult with the customer and obtain all necessary approvals.
Together, these elements are referred to as the rules of engagement and are presented to testers as a legal agreement.
Penetration testing report
Penetration testing reports don’t necessarily have an identical format, but they do tend to have a similar structure and some standard categories of information.
The executive summary should outline the issues in a format that is useful to security teams and digestible by the executives that may need convincing to make necessary changes. That means a layman’s approach that does not get too far into the weeds of technical descriptions.
The report should also include a section that goes into the technical details of each vulnerability that has been detected. Some examples of details presented include:
- Description: This provides a technical discussion of the issue that has been detected, including what systems are affected and how the vulnerability can be exploited to cause harm.
- Impact: The description should also be accompanied by a section making clear exactly how bad each vulnerability could be for the organization should it be successfully exploited, in terms of expected technical damage.
- Scoring/Rating: This commonly adopts the Common Vulnerability Scoring System (CVSS) which provides a severity score from 0.0 to 10.0. Based on the score, the vulnerability is given a rating – Critical, High, Medium, Low or None. The rating provides the security team with a practical way to prioritize their remediation plans. For example, High-rated issues may be fixed in a week while Low-rated issues may take one month.
- Proof of concept: Pen testing reports are usually accompanied by more detailed descriptions of how each vulnerability was exploited and how the security teams might reproduce the observed vulnerability. This also provides the organization with evidence of each issue.
- Recommendations: This section provides guidance to the security teams on how they might remediate the vulnerabilities. Recommendations may or may not be specific as the actual implementation approach for fixing the issue may depend on the organization’s technology environment.
- References: More detailed technical information regarding the finding and fixing of vulnerabilities is usually included in a reference section.
Penetration testing certifications
You can see from all of this that it is important to engage reputable and skilled penetration testers. But, aside from business reviews, what can you use to determine their quality?
One very important element is industry certifications. There are a number of different certifications related to pen testing that indicate the relative experience and competence of a firm’s testers.
… most advanced certifications test ethical hackers with a practical exam that unfolds over one to two days
There are quite a few of these certifications, and they vary in quality. The easiest “entry level” certifications consist of only a multiple-choice exam, perhaps with a short practical test attached. The most advanced certifications test ethical hackers with a practical exam that unfolds over one to two days and has instructors actively throw challenges at them.
Some examples of the most advanced penetration testing certifications are:
- Offensive Security Certified Expert (OSCE): This test takes place over two days and has security professionals solve complex sets of challenges while evading active defense measures such as antivirus software. A lower level certification from the same company, the Offensive Security Certified Professional (OSCP), is somewhat “easier” with a 24 hour time window and less in the way of active defenses to deal with but is nevertheless one of the tougher tests in the industry.
- Licensed Penetration Tester (LPT): This credential is offered by the EC Security Council and consists of a difficult 18-hour practical exam. The LPT is the final certification of EC Council’s penetration testing track after the tester has obtained the EC Council Certified Security Analyst (ECSA) and Certified Ethical Hacker (CEH) qualifications.
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN): An advanced certification for experienced security professionals offered by GIAC Certifications from the SANS Institute. The exam consists of 60 multiple-choice questions, including six practical questions requiring hands-on work.
There are many other certificate options ranging from beginner to expert levels. If you aren’t sure about the quality of a particular certification, look up what the testing process entails. The most advanced generally require a practical exam that lasts close to 24 hours, if not for multiple days. Beginner certificates usually consist of a multiple-choice test.
Penetration testing limitations
A penetration test is an important piece of a security program, but it is just one piece. For most organizations, it will be an infrequent element as compared to other components that are needed for everyday defense.
It is important that organizations not get into the mindset of thinking that a once-a-year pen test is the “magic elixir” that fixes all of their problems and makes them temporarily invulnerable to cyber attacks. These tests do have their limitations.
One is that pen tests only cover elements of the infrastructure that are selected for testing. Businesses often have to exclude some network segments or some applications because they will be too disruptive to business to interrupt or contain information that is too sensitive. And of course, there’s always a budget limitation.
Penetration tests are also focused on what an attacker would do. Active attacks are not the only way that information leaks out of organizations. For example, one very common issue is the misconfiguration of cloud databases leaving their contents open to the public accidentally.
And finally, though security testing is able to evaluate the human element to some degree through things like social engineering attempts, it can not really inform or fix this aspect. This is an important point as email or messaging phishing of employees is a common way for attackers to breach networks. Companies need to supplement pen test results with regular training to keep staff wary of suspicious behavior.
Penetration testing cost
Unfortunately, penetration testing is not an inexpensive service. It draws from a small pool of highly trained experts in ethical hacking that are unwilling to turn their unique talents to criminal behavior. And the salaries of these security professionals are only going up due to a general shortage in the workforce that is expected to continue for years.
Quality professional penetration testers are constantly learning to keep up with a rapidly evolving hardware, software and threat landscape
For a full penetration test of a network, you’ll likely see quotes running from $5,000 to $50,000 depending on the organization’s size and needs. Large companies that are high-value targets sometimes pay in the hundreds of thousands or even millions of dollars for each of their yearly tests.
The price may seem high, especially next to the low cost of a vulnerability scan, but there is good reason for it to be that high. Quality professional penetration testers are constantly learning to keep up with a rapidly evolving hardware, software and threat landscape. There is a substantial training cost to keep these services going, and when combined with the salaries that truly skilled professionals can command due to the extreme market shortage, you wind up with these price tags.
Even so, the cost of not performing regular penetration tests is almost always substantially higher. The cost of pen testing might seem steep at first, but set it next to a global average cost of over $4 million for each data breach and suddenly it seems much more reasonable!