Many companies require penetration testing and or vulnerability assessments completed for compliance or customer assurance but don’t know much about penetration testing or how it works. Below we have compiled a list of the 8 penetration testing questions people typically ask during procurement.
How Pen Testing Is Different From Functional Software Testing?
Who Does Pen Testing?
How Much Does Penetration Testing Cost?
In our opinion, penetration testing is worth the price every time, just be sure that your internal teams address the discovered issues and they are retested to confirm successful remediation.
How Much Testing Is Automated And How Much Is Manual?
The answer to this question depends on the individual penetration testing consultant that your company is hiring. However, it is important to note that penetration testing uses automated tools as part of the testing process, the industry tends to refer to this as “semi-automated”, where a consultant uses automated scanning software to identify low hanging fruit or common vulnerabilities.
In short, there’s nothing wrong with ethical hackers using automated tools. However, scanners and other tools typically only spot simple vulnerabilities. Pen testers can use their experience, skills, and brains to think outside the box to find and combine vulnerabilities that an automated tool would otherwise miss.
What Kinds Of Tools Will You Be Using?
Some of the most common tools that many ethical hackers utilize are Burp Suite, Nessus, and Metasploit. These three tools help along the penetration testing process, allowing the pen tester to identify issues and manual exploit the discovered vulnerabilities (as discussed above).
Common Penetration Testing Tools
- Burp Suite
- Nessus
- Metasploit
- More tools are listed on this page
What’s The Difference Between A Vulnerability Assessment And A Penetration Test?
A Vulnerability Assessment (also known as a VA) informs on whether your network environment has any vulnerabilities. A penetration test digs deeper than simply identifying security weaknesses, they actively look and hopes of exploiting any holes in your system security, exploitation of the vulnerability verify its existence. Manual testing identifies security weaknesses that a simple scan wouldn’t be able to find.
Key differences between the two
- Penetration testing exploits vulnerabilities
- Vulnerability assessments identify vulnerabilities but do not exploit vulnerabilities
- Penetration testing goes a step further, pivoting and chaining discovered issues together
What’s Your Approach To A Pen Test?
Depending on the firm you hire, there will likely be a different approach, typically you can request their testing methodology. Most reputable companies will base their testing methodologies on established methodologies, such as NIST, OWASP, and PTES.
Every team has a slightly different approach, but ultimately, they follow the same set of rules. Here are a few guidelines some of the best pen testers follow:
Discovery: In this phase of the process, the technician gathers as much relevant information about your company as possible which is very likely, unknowingly, a part of the public domain. This information could be key to an attacker backing through your company’s cyber defenses.
Scanning: Here automatic and manual scanning techniques are used to uncover vulnerabilities in the system. If the process is performed correctly, then the automatic scan should run in tandem with the manual scan at least complement each other.
Exploitation: Once an issue has been identified the technician must attempt to exploit it. Technicians who rely too much on tools will have trouble during this portion of the process. But, this is an important step and requires a very high level of trust between the technician and the company they are providing their service to. If you “penetration test” does not include the step of testing, then it’s a vulnerability assessment and not a penetration test.
Post Exploitation: After the vulnerabilities are thoroughly exploited the information gathered is used to gather additional information.
How Do You Report The Findings?
Before beginning any security testing the following must be discussed between the technician and the business:
- Several Emergency contacts for the ethical hacker
- An agreed upon call frequency (daily, weekly wash up calls)
- How you’re planning to communicate with each other (e.g. phone, email, IM , etc.)
- Final report delivery date
What Preparation Work Should We Do Before A Penetration Test?
Before penetration testing can take place the following preparation work is recommended:
- Backups are taken (ensuring a point in time restore point, allowing for pre-test environment restore)
- Applications are hardened and patched
- Attack vector is reduced (by only exposing services that are required)
Obviously, the above depends on “why” you are conducting a pen test, you might be a CISO in a new organization who wants to gain an overview of the current state of the organization’s security.
Why Should I Have A Penetration Test Performed?
A Pen test lets you know the kinds of issues your company network and environment may have with regards to security. It gives your company the opportunity to address the holes you may have in your security so you can address them before an attacker has the chance to use these vulnerabilities against you.