Penetration testing, also known as pen testing, is a crucial process for identifying potential security vulnerabilities in computer systems, networks, and applications. It involves simulating a cyberattack to evaluate the security measures in place and determine any weaknesses that need to be addressed.
To conduct an effective penetration test, it is essential to have a clear understanding of the various approaches and methodologies available, the different types of tests that can be performed, and the associated costs. In this article, we will provide an overview of these key aspects of penetration testing, highlighting the importance of this process for maintaining the security of your digital assets.
What is a penetration test?
Penetration testing is a security assessment technique that involves testing the security of a computer system by performing attacks to identify system vulnerabilities and propose security patches. Unlike vulnerability testing, which relies on automatic scanners to quickly identify common vulnerabilities, penetration testing goes further by searching for logical flaws that cannot be detected by automatic tools and manually exploiting identified vulnerabilities to measure their real impact.
Penetration testing can be performed using different approaches, including black box, gray box, and white box testing. Black box testing focuses on the attack surface accessible to external attackers. Gray box testing targets elements accessible only to customers, partners, or employees of a company.
White box audits involve analyzing the level of security while having the same access as a system administrator. After the penetration test, a security audit report is delivered, which presents the identified vulnerabilities classified by the level of criticality, along with technical suggestions for remediation. Additionally, a non-technical summary may be provided for presentation to management or partners.
Penetration testing can be conducted using either black-box, white-box, or gray-box approach.
- Black-Box: In a black-box approach, the tester has no prior knowledge of the target system’s architecture, design, or source code. This approach simulates a real-world scenario where an attacker has no inside knowledge of the system. The tester has to find vulnerabilities by interacting with the system, as an external attacker would.
- White-Box: In a white-box approach, the tester has full knowledge of the target system’s architecture, design, and source code. This approach simulates an insider attack where the tester has access to the system’s internal workings. The tester can identify vulnerabilities by analyzing the system’s code, configurations, and access control mechanisms.
- Gray-Box: In a gray-box approach, the tester has partial knowledge of the target system’s architecture, design, or source code. This approach combines the advantages of both black-box and white-box testing.
The tester has enough knowledge to understand the system’s architecture and design but doesn’t have access to the source code. This approach is useful when the testing team has limited resources or time to conduct a full white-box test.
Penetration Testing Methodology
Penetration testing can be conducted using different methodologies, depending on the scope and objectives of the test. Some of the commonly used methodologies are:
- Open-Source Security Testing Methodology Manual (OSSTMM): It is a framework for penetration testing that emphasizes the importance of information security testing, rather than just vulnerability scanning. The OSSTMM is a comprehensive methodology that covers all aspects of security testing, including physical security, social engineering, wireless security, and application security.
- Penetration Testing Execution Standard (PTES): It is a standard for conducting penetration testing that defines a set of guidelines and best practices for the entire testing process, from scoping to reporting. PTES divides the testing process into seven phases: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting.
- NIST SP 800-115: It is a guide for information security testing that provides recommendations for the planning, execution, and reporting of security testing activities. NIST SP 800-115 is a comprehensive framework that covers all aspects of security testing, including planning, execution, and reporting.
Types of tests performed
The tests conducted on web platforms enable the search for vulnerabilities associated with both the configuration of web servers and the application layer. Examples of vulnerabilities on the server side are open and poorly secured services, outdated software, and configuration errors. On the application side, these include the vulnerabilities listed by OWASP (including the top 10 flaws), logical flaws relating to the implementation of the workflow, and those arising from new discoveries about the technologies used by developers.
The tests that were conducted focused solely on the mobile applications themselves, excluding mobile APIs and servers. These tests consisted of both static and dynamic analyses of the applications. Static analysis involves the extraction of elements such as meta-information and source code, in order to perform reverse engineering attempts. Dynamic scanning, on the other hand, involves identifying vulnerabilities in the application while it is running on a device (runtime), for example, to bypass controls or extract data from RAM. The OWASP lists common flaws in mobile apps, including the mobile top 10.
Connected objects – IoT
The tests carried out on connected objects make it possible to search for vulnerabilities on all layers of the IoT ecosystem, including hardware, firmware, communication protocols, servers, web applications, and mobile applications. Tests on hardware, firmware, and communication protocols are specific to each object, such as data dump via electronic components, firmware analysis, signal capture, and analysis, among others.
Infrastructure and networks
The tests carried out on external infrastructure consist of scanning the company’s public IPs and online-exposed services with the aim of identifying flaws related to services configuration and system architecture. The tests carried out on an internal corporate network consist of mapping the network to search for vulnerabilities in workstations, servers, routers, proxies, and other network devices.
The company’s “human factors” tests assess the reactions of teams to phishing attempts, telephone attacks, and physical intrusion. The techniques used include sending phishing and spear-phishing emails, which may contain interface clones and malware, collecting sensitive information by telephone, and using booby-trapped USB keys.
The goal of a Pentest
The primary objective of a pentest is to uncover all security vulnerabilities in the target system and report them to the client. However, due to budget constraints, most engagements are time-limited. Large organizations may have an internal pentest team, but they may be unable to perform tests on all the systems within their portfolio. Thus, they opt to hire external pentesting firms, which is also cost-limited due to the manual nature of the process and the scarcity of skilled personnel.
Pentests are usually scoped to a specific timeline, which varies based on the system’s complexity and the duration needed to achieve reasonable confidence in finding vulnerabilities. The timeline typically follows a bell curve, where few findings occur initially, followed by a surge in discoveries within a specific timeframe, before tapering off. At some point, the cost of spending more time looking outweighs the likelihood of finding new vulnerabilities.
In cases where the quoted price is too high, a time-boxed approach may be adopted, where the client accepts that the test will be conducted within a reduced timeframe, and the pentesters will do their best to uncover as many vulnerabilities as possible. However, this approach is usually accompanied by a caveat in the report to indicate that the test was conducted in a shorter timeframe than recommended.
What happens after a penetration test?
Security measures and best practices to implement
The corrected paragraph would be: The ultimate goal of the penetration test is to offer concrete recommendations for enhancing the security level of the target. As a next step, these suggestions should be considered to rectify at least the most critical vulnerabilities. Some of the corrections can also be incorporated into functional and technical development projects or be implemented on other systems that have similarities to the target. Moreover, conducting an intrusion test allows for changes in certain practices, implementing new processes, and strengthening the level of vigilance of the company against potential risks.
Following an intrusion test, it may be recommended to conduct additional analyses, such as:
– More in-depth penetration tests on portions of the target not included in the scope of the previous test – White box audits to further push the security analysis – Depending on the vulnerabilities identified, supplementing security analysis with security training for technical and/or non-technical teams.
Penetration testing frequency
An intrusion test provides an assessment of the security level of a target at a specific time. The question then arises regarding how frequently to conduct this type of test. This depends on various factors such as the level of risk that the company is exposed to, regulatory and commercial issues surrounding the target, the thoroughness of previous intrusion tests, and the frequency of technical and functional changes to the target. In certain situations, the choice may be to conduct one pentest per month, whereas in other instances it may be to conduct one pentest per year.
Examples of strategies for software companies and startups
For an intermediate-sized software publisher with high-security requirements from its customers, whose product requires a high number of pentest days:
- 2 pentests per year on the product, with a different functional scope from one session to another
- 1 social engineering pentest every year
- 1 pentest of its external infrastructure every 2 years
- 1 pentest of its internal network every 2 years
For a PCI-DSS certified fintech startup with strong security constraints:
- 1 pentest per quarter, with a different functional scope from one session to another
- Security training sessions for developers
For an SME concerned with preventing the main security risks:
- 1 pentest of its information system (external and internal) every 2 years
- Training for people in charge of safety issues.
Variations on The Theme
Phishing, OSINT, and red team exercises are interrelated but distinct concepts. Phishing tests measure employees’ response to phishing emails, allowing for future training to be tailored based on the results. Meanwhile, OSINT tests involve gathering publicly available data to assess the value of the information and how it could be used for targeted spear-phishing attacks. Red team engagements are more comprehensive and may involve elements of all the other components, including physical security testing and social engineering. These typically require a team of people and can last much longer than regular pentests.
Red team exercises may raise ethical concerns as testers actively deceive unsuspecting employees. However, these tests are only conducted with the permission of the company leadership, typically at the board level. The use of force or violence is never permitted, and testers carry a signed contract as proof of permission. Sometimes, a fake permission slip is carried as a double bluff to see if security can be tricked into believing it is legitimate. If caught, the real permission slip is provided, but the tester’s identity may be compromised, resulting in their removal from further in-person testing. Another team member may replace them, with or without informing security, to continue the test.
How much does a penetration test cost?
A penetration test typically costs between €3k and €20k, depending on the scope and audit conditions. Here are some examples of pricing:
– €20k to €25k for a comprehensive security audit, which includes an external pentest of the information system, an internal pentest, and a social engineering pentest.
– €10k to €15k for a security audit, which includes 3 or 4 pentest sessions on software, as and when new ones are put into production.
– €5k to €10k for an in-depth pentest on business software, a company network, or a connected object.
– €1.5k to €5k for an initial pentest, focused on the major risks for the company.
To summarize! A pentest is a type of cybersecurity engagement where a professional is hired to test a computer system for vulnerabilities manually. Automated tools may be used as part of the process, but the tester verifies the vulnerabilities manually. The results of the test are presented in a report that includes remediation advice. The report must be based on manual testing and verification, rather than solely relying on automated tools. Pentests can be performed on any computer system, including hardware, networks, applications, or devices, and require a range of complementary skills depending on the system being tested.
In conclusion, penetration testing is a critical process for identifying potential security vulnerabilities and ensuring the overall security of computer systems, networks, and applications. By following the appropriate approach and methodology, selecting the right test type, and considering the associated costs, organizations can better prepare themselves against potential cyber-attacks.
With the increasing prevalence of cyber threats and the growing importance of protecting sensitive data, the importance of penetration testing cannot be overstated. Therefore, it is essential to conduct regular penetration testing to stay ahead of potential security risks and safeguard the integrity of your digital assets.