Posted on Mar 15, 2021
As cybercriminals continue to seek new methodologies for gaining access to mission-critical resources, organizations need to maintain their controls’ effectiveness. A single vulnerability can lead to a catastrophic data breach. For example, a single server with the default password still in use can give malicious actors a way to gain access to a company’s entire connected infrastructure. Most organizations engage in penetration testing to monitor whether their controls effectively protect data, but many types of pen testing exist so knowing what they do can give you a better understanding of how to protect information.
Penetration testing, also called "pen testing" or "ethical hacking" is when an organization authorizes an internal team or third-party organization to simulate an attack on systems and sensitive data to detect security control vulnerabilities and weaknesses.
The people engaging in the simulation, often referred to as “pen testers,” try to “break into” a company’s systems, networks, and software by looking for vulnerabilities in the following areas:
Although pen testers are hired by an organization, they need to act like malicious actors which means they try to simulate the attack undetected. To do this, they often use the same attack methodologies as malicious actors, including:
Since the pen test looks to find security vulnerabilities, organizations often start by defining the simulation’s scope. Setting the scope of the penetration test means defining the systems, software, networks, applications, databases, accounts, people, and physical security controls on which the pentester should focus.
Most organizations use their risk analyses to help define the scope. The highest risk assets should be included since real malicious actors will most likely target those first. However, you also need to consider low-risk assets that might allow someone to obtain unauthorized access and then move within your infrastructure.
For example, a corporate website may not be high risk from a data sensitivity point of view. However, if an administrator uses the same password for the website and privileged account, gaining access to the website would allow a malicious actor to use that information to gain privileged access to high-risk data or systems.
When setting the scope of the penetration test, some questions that can help include:
The scope of the pen test defines the approach the pen tester will take. To get a better understanding of how the two are related, it helps to understand the three main approaches to pen testing.
A black box test, also called external penetration testing, simulates a real-life cyber attack situation by providing the tester with no information about the target asset. Since cybercriminals rarely know a company’s network architecture or proprietary application code, black box testing can create the most authentic simulation. This approach is often used to determine how secure an application is.
Three prominent types of black box pen tests exist:
White box testing, also called “clear box testing,” often supports other types of pen tests when an organization needs to improve a metric, suspects an area needs additional testing or needs to enhance security. Since the organization is looking for specific insight, it makes the code visible to the pen testers so that they verify the software for:
The two most prominent types of white box testing are:
Gray box testing blends white and black box approaches by giving the pen testers some information about the application’s internal structure so that they can search and identify potential code defects. Often, gray box pen testing offers a better likelihood of detecting a security weakness than the other two approaches.
Unlike white and black box testing, grey box testing has no specific types associated with it.
Each of these approaches to testing can be done across an array of areas. The scope that defines the purpose of the test will also include the type of test.
With connectivity a primary business need, companies need to ensure that they secure their networks, making this one of the most common testing types. The pen tester looks to find security weaknesses or vulnerabilities in the network infrastructure, including:
Additionally, the network pen test needs to examine the data that travels from an origin point to the designated destination. These data units, call packages, can include:
First, network pen testers need to understand the organization’s digital footprint and assets. This includes looking for information on:
Next, the tester does reconnaissance to discover live hosts and services by engaging in:
Finally, the test discovers and exploits vulnerabilities by either manually engaging in or using automated tools for:
Although some processes are manual, most pen testers also use automated tools. Some of the most used tools are:
A web application penetration test uses manual or automated processes to simulate an attack against a web application to identify potential vulnerabilities, security weaknesses, or other ways that a malicious actor can gain unauthorized access. Organizations adopt web applications because they enable collaboration, especially for a remote workforce. However, they store, transmit, and process sensitive data and can leave that information publicly exposed if a coding error exists.
Companies developing software should engage in web application pen testing as part of the software development lifecycle (SDLC). Organizations that purchase Software-as-a-Service (SaaS) solutions should engage in web application testing as part of their vendor risk management due diligence processes.
First, pen testers need to engage in reconnaissance or information gathering. During this phase, two methods exist:
Second, pen testers use the information gathered to engage in threat modeling which means that they think about how to exploit the vulnerabilities discovered in the reconnaissance stage. The four stages of threat modeling are:
Third, web application pen testers use their threat model to try to exploit vulnerabilities or flaws.
Fourth, web application pen testers write a business-level report detailing their findings and expressing their recommendations.
Finally, the organization prioritizes the risks discussed in the report to strategically remediate the weaknesses, starting with high priority risks.
Some tools used in web application testing are the same as those used in network testing, but many are unique to this type of test. Additionally, pen testers use different tools for different steps in the process.
The passive and active reconnaissance phases use different tools because they provide different information.
Passive reconnaissance tools include:
Active reconnaissance tools include:
The exploit phase goes beyond gathering information to start interacting with the web application.
Exploit tools include:
In a client-side penetration test, pen testers look for vulnerabilities in the software on users’ workstations because they have legitimate access to the corporate network and also connect to the public internet. These tests are also referred to as “inside tests” because the pen testers do not need to try to break through network protections like firewalls as the devices are already connected to the target network.
Some examples of client-side software that cybercriminals can use for attacks include:
Since attacking workstations means bypassing more robust controls, cybercriminals continue to look for new vulnerabilities in these applications, making client-side pen tests more important than ever.
Similar to other types of pen testing, client-side tests begin with information gathering. As part of this, the testers engage in the following activities:
Second, the pen testers set up an attack simulation by selecting a target and customizing the attack. Since client-side tests focus on workstations inside the network, the pen testers need to focus more directly on who would be the target user type, what types of devices/software/systems would be targeted by malicious actors, and how the exploit would work.
Third, the pen testers deploy the attack simulation either by sending fake phishing emails or attempting to exploit the weakness they wanted to focus on based on their information gathering.
Although many of the same tools used in other types of testing can be applied to client-side tests, the following are particularly effective for this type:
A wireless penetration test looks for vulnerabilities malicious actors can use to launch automated attacks against access points, such as switches, hubs, or devices. Vulnerabilities can include:
First, pen testers need to engage in reconnaissance using a process called “War Driving,” where they drive a vehicle around a location to detect WiFi signals.
Second, they scan or identify networks and try to capture packets so they can start “listening” to wireless traffic.
Third, pen testers focus on finding vulnerabilities in WiFi access points by trying to authenticate to them.
Fourth, they exploit any vulnerabilities located in the WiFi access points by engaging in some of the following activities:
Since wireless testing focuses on access points, it uses different types of tools than other penetration test types, including:
During a social engineering penetration test, pen testers use the same type of phishing email processes and other social engineering tactics as malicious actors to test whether employees follow the organization’s policies and practices.
First, pen testers gather information to determine what types of messages might be most effective within an organization, which includes reviewing:
Second, they decide how to send the message, track responses, monitor activity, and develop content.
Third, pen testers put together lists of users that they want to target then configure and schedule their campaigns.
Fourth, they engage in the initial exploits such as:
Fifth, they engage in secondary exploits such as:
Sixth, they simulate data exfiltration by reviewing but not downloading information such as:
Finally, they disengage from the systems by:
Because social engineering pen tests focus on exploiting people’s emotional weaknesses, this type of pen tester uses Open Source Intelligence (OSINT) to collect information. Some popular OSINT tools include:
Physical engineering is a type of pen test where the testers attempt to “break into” a building during working hours to determine whether protections like locks, credentials, and practices around visitors have any vulnerabilities.
First, the pen testers look at all areas of the physical premises that could create a security risk and create a map, including:
Second, they look for any places where malicious actors could pick locks to gain entrance to the facility, such as:
Third, they look for similar types of physical security weaknesses inside the building, including:
Fourth, they use technologies that can be used for corporate espionage or data theft from inside an organization, such as:
Fifth, they look for potential physical security weaknesses caused by employees, such as:
Since physical engineering tests focus on building security, pen testers use commonly found tools like:
Every penetration test needs to balance depth and breadth. To find the right balance, you need to work with your pen tester and create a focused plan. The plan needs to include everything from the assets included in the test to the reportable outcomes.
As part of the initial engagement, you want to start by thinking about the qualifications you want the team to have. From an enterprise perspective, you should consider any unique assets in your IT stack, such as internally developed applications, mainframes, or uncommon networking protocols. Then, you should review the risk these assets pose from both a security and privacy perspective. Any high-risk assets should be included as part of your penetration test, so you want to make sure that the team you choose has experience with them.
As part of the scoping process, you defined the assets that the team needs to test. You also need to assign internal responsible parties. As part of this process, you want to consider the people in your organization who you consider:
Then, you want to make sure that each responsible party outlines areas of special concern and technical boundaries.
Additional information that you want to provide as part of this process include:
A penetration test is not a “set it and forget it” process. You should assign a responsible technical party to work closely with the team, one who can respond to any critical issues that need immediate remediation or resolve issues that impede the testing process.
As the team continues to poke at your security controls, they may need to change the scope of the test. Sometimes, pen testers may identify additional systems or components whose impact on the in-scope systems require them to do more work. At this point, they may suggest broadening the scope or indicate that the report has to include these as a limitation of the testing.
In other words, you may need to make a decision between increasing the costs associated with the testing process or include a notice in the report that you chose to accept the risk by not testing these systems.
Finally, your testing team will provide a report that lists security issues uncovered. Once you review the report, you need to prioritize remediation actions based on vulnerability severity, starting with the riskiest weaknesses.
The penetration test process is the first step. The report provides all the information necessary to respond to any findings. Similar to a regulatory compliance audit report, the pen test report has several parts to it.
This section offers a high-level summary intended for the executive team, including weaknesses, risk impact, and suggested remediation prioritization.
This section gives the report context and summarizes the original statement of work.
This section gives the name, email address, and phone number of the people performing the test and is often used to meet compliance requirements.
The report should include the tools used so that the IT team can reproduce the findings as they work to remediate the weaknesses.
This section, often including graphs, details the vulnerabilities by grouping them based on the risk and remediation effort required. Additionally, the reports often enable budget justifications.
This section should include two different types of prioritization. First, the report should prioritize findings based on the risk a vulnerability poses to the organization’s security posture. Second, it should prioritize findings based on importance and relevance.
To help the IT team remediate weaknesses, the report should include links to resources that provide additional technical information such as OWASP, MITRE, or CVE websites.
The IT team may need to recreate the steps to finding the vulnerability so that they can understand how to find the issue as part of the resolution process.
This section includes the best practices and actions necessary to remediate the findings.
Most regulatory and industry compliance requirements suggest “at least annually.” However, organizations in industries that malicious actors target more frequently, such as financial services or healthcare, may one to do them more than once a year.
Depending on the penetration test’s scope, it can take on average between one and three weeks. The more systems incorporated in the test, the longer the test will take. Additionally, the more out-of-scope systems and components that the pen testers find during the test, the longer the test may take.
Although penetration test costs rely on the organization’s IT infrastructure complexity, the average cost is usually between $15,000 and $30,000. In extremely complex IT stacks, the cost can be as high as $100,000. For limited engagements, the cost can be as low as $2,900.
Penetration testing provides an in-depth review of your organization’s security posture. However, the costs and time associated with completing them mean that they can only be completed once or twice a year. Meanwhile, your IT ecosystem continuously changes, making it essential that you continuously monitor for new vulnerabilities.
SecurtyScorecard’s security ratings platform gives you an outside-in look at your current security posture and provides easy-to-understand ratings based on an A-F scale. We monitor across ten categories of risk, giving you at-a-glance look at mission-critical security risks. We enable organizations to detect and mitigate new risks that can arise between penetration tests but also help customers identify assets that need to be included in future tests.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.