What is a penetration test?
A penetration test, often referred to as a "pen test", is an authorized assessment conducted by highly specialized third-party security experts to discover and report on vulnerabilities and attack paths in your networks, systems, and applications. Pen testers use hacker tools but for good cause.
A company will need to remediate the high-risk findings as soon as reported by pen Testers to reduce the attack surface before the hackers exploit them.
Penetration testing is required to meet auditors' requirements by most security certifications like ISO 27001 or attestations like SOC2 and to comply with cybersecurity and privacy-related laws of the land like HIPAA or industry-specific regulations like PCI.
Why do you need a penetration test?
Your company's internet-facing assets are getting hit with thousands of malicious connection requests as you read this blog post. Don't believe me? Ask your WAF provider to show you a recent report of blocked IPs trying to scan your website.
Though you may assume “it cannot happen to me” or that your business is too small to be an attractive target to bad actors, this type of thinking can pose big risks. Hackers take the path of least resistance - choosing to go after unlikely targets like suppliers and service companies than after large enterprises with an army of security forces, and they are motivated by a variety of reasons - from profit, activism, espionage, revenge, identity theft, IP theft, or just plain disruption and denial of service.
Below are a few reasons why you may want to consider a penetration test -
Protect Your Valuable Product & Customers : You're in business to earn customers' trust and serve them. You have raised millions to build something great. You're responsible for protecting your product and your customer data and identities even if you have your application deployed in the cloud based on a shared responsibility model. Customers may ask for you to provide evidence of an annual third-party pen test as part of their procurement, legal, and security due diligence.
Protect Your Data: If you're storing any PII/ PHI/PCI data in your environment and if you fail to protect the security and privacy of your customers' data, you're subject to steep monetary penalties by legal and regulatory oversight authorities in your industry. According to the Dark Web Market Price Index published in 2021, everything from credit cards, PayPal accounts, crypto accounts, social media accounts, streaming accounts, forged IDs and documents, email dumps fetch prices ranging from $50 to $4,000 per item. Regular pen tests can discover misconfigurations, weak encryptions, known vulnerabilities, default credentials, and sensitive data inadvertently exposed by your APIs, applications and data stores.
Continuous Security Validation: pen testing can verify if your security tools such as WAF or Email Filters are working as advertised. It can also identify any changes, for better or worse, to your company’s security posture as your business activities, users, employees, partners, and competitors continuously change.
Meet Compliance Requirements: A pen test report or letter of attestation from a pen tester is often required by your regulators, insurance companies, and clients' vendor management to assure that you have a good threat and vulnerability management practice in place.
Achieve and maintain security certifications and attestations: A pen test is required by SOC 2 and ISO 27001 auditors to confirm the evidence of a mature threat and vulnerability management practice.
SOC 2 compliance requirements directly mention the use of penetration testing or similar techniques to identify vulnerabilities in the company’s systems – which is why most auditors require a penetration test as part of the SOC 2 process.
CC4.1 – Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certifications made against established specifications (for example, ISO certifications), and internal audit assessments.
CC7.1 – The entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
ISO 27001 requires that a company prevent the exploitation of technical vulnerabilities. Performing vulnerability scanning and assessment on your network and applications may identify vulnerabilities with false positives or generic CVSS scores. Therefore, it’s important to combine vulnerability tools' scanning results with a third-party manual pen test to provide accurate evidence to your auditor on the following requirement.
A.12.6.1 – Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
Types of penetration tests
There are 2 ways to think about pen tests:
- Testing for external hacking attacks
- Testing for insider threats
Blackbox: The pen tester will not ask for any test accounts or authentication to your applications and infrastructure components ( databases or servers). The pen tester will attack the externally facing systems without much knowledge of the systems using public breach databases or using social logins (if present)and try to exploit any externally facing vulnerabilities, misconfigurations, and defaults. These are quick and low-cost tests.
Whitebox: You will provision test accounts and allow the pen tester to conduct authenticated manual testing of vulnerabilities. These tests would cover internally facing risks and provide maximum assurance. They are also time-consuming and expensive.
You may choose the attack vectors you'd like the pen testers to test for vulnerabilities.
- Network: You provide a range of IP addresses and active hosts within that range.
- Applications: You provide production URLs and any subdomains to test for web apps or binaries /devices /links for mobile applications or demo/test versions of the applications that mimic production apps and environment.
- APIs: You provide # of API endpoints and # of calls
- Physical: On-site attacks to access physical network devices, and wireless access points.
- People: You may or may not provide a list of target emails. Pen testers can research social media and various open-source intelligence sources to identify target lists, buy domains that look like yours, and set up servers in the cloud to bypass your email filters and deliver phishing links to your target users and take control of their machines.
- Cloud: pen testers will try to exploit cloud-based services, serverless functions, containers, SQL/no-sql stores, APIs, and consoles to attack your applications.
- IOT devices: any hardware device with an IP address is a target. If these devices are set up with default credentials, they can be an easy target of an attack.
Process and time commitment
Most pen testing companies generally follow the process below:
- Scoping call to get a quote
- Sign SOW and NDA/MSA
- Kick-off Test
- Information Gathering
- Vulnerability Scanning
- Preliminary Reporting
- Report review call
- Remediation/ Retest
- Final Report
The time commitment for this process depends on the type of pen test you are pursuing.
If it's a black box test with no authentication, the tester may be able to finish most of the work without much involvement from your team during the testing period.
A whitebox test may take some involvement during the test. If you have a large and complex network and access provisioning process, or if you have a complex procurement and legal contract review process, it may take more time on your part to engage a third-party pen tester.
For most pen testing companies, it takes 1-4 weeks to complete a pen test depending on the size and scope of the attack vectors.
While the test itself may not take much of your time, you should allocate enough time to fix vulnerabilities that the pen test uncovers. Typical remediation cycles can take 90-180 days depending on the availability of your resources.
It’s important that you budget enough time for these considerations - as well as some additional lead time as pen test companies may not be able to start your test right away.
How often do you need a pen test?
Most Auditors if not client vendor risk managers will require that you conduct a third party pen test twice if not at least once a year. You should choose your pen test partner who can accommodate pen tests at regular intervals for an affordable price. The penetration test must be completed before the end of your SOC 2 observation period in order to be included in your control matrix.
How much does a pen test cost?
The cost of a pen test can vary depending on the size of your apps, the number of attack vectors, and the type of test you choose. You will have to go through a scoping exercise to get an accurate quote. It can also depend on the pen testing company's rate card. Large pen testing companies and higher rates do not necessarily mean that you are getting top-quality results and attention. Typically these tests start at $5,000 and can go up to $15,000 depending on the scope and who you are talking to.
Your pen testing partner should match your expectations and below is a guideline you can follow to find your match.
How to choose a pen testing company:
Anyone with an internet connection and some hacking tools can hit your systems but here are some things to consider when evaluating a “security partner”:
- Look for a CREST accredited partner: CREST is the only international certification authority that audits and approves pen testing organizations for their methodologies, processes, and client data handling practices.
- Look for testers' certifications: You may ask for the profile of the tester touching your systems and data. You should be looking for hands-on lab-based certs like OSCP, CRTP, OSCE, GXPN, GPEN, GWAPT, GAWN, GCIH, GCFA, GMOB, GCIA, GSEC, etc.
- Get a clear Statement of Work: The SOW should clearly state what's included, and what's not included in the test. It should have clear timelines for deliverables. Ideally, you should choose a pen testing company with an all-inclusive fixed price. For those who wish to pay on a time and expense basis, know that pre-test research, set up, and post-test remediation tests paid on an hourly basis can quickly add up. The SOW should include an escalation and remediation process and contacts in case the testing impacts your services.
- Risk Analysis: The pen testing company shouldn't just hand you a list of vulnerabilities without any business impact analysis to reflect the reality of the risks facing your organization. They should be flexible to accommodate your risk appetite and decision to accept or not accept risks.
- Insurance Requirements: Make sure they have adequate insurance to cover any professional liability due to pen testing activities.
- Report Quality: Experienced auditors and vendor risk managers can challenge the validity of a penetration test done by inexperienced testers. If the testers do not follow industry best practices and methodologies, your report will not support legal liability and forensic cases.
Penetration testing will help secure new clients, protect your business assets, prevent financial frauds, and help you avoid fines for non-compliance. Penetration testing fulfills multiple purposes in a company’s risk management strategy.
About Prescient Security
Prescient Security is a global top 20 penetration testing company based in New York City, offering expert Security Reviews and Security Testing Services to financial, healthcare, and Hitech clients. Prescient Security is a CREST certified security testing organization and adheres to the highest safety and security standards for handling client data. We offer Vulnerability Scanning, Continuous and Automated Penetration Testing as a Service, Agile Web App Security Testing, Red/Blue/Purple Teaming, Cloud Security Assessment, Soc2/HIPAA/CSA Star Audit, BCP/DR/IR Testing, Virtual/Fractional CISO, and Security Staffing. Our mission is to achieve quantifiable risk remediation and return for every dollar you invest in security. For more information on our partnership with Vanta, please visit https://prescientsecurity.com/vanta
Vanta is your automated security and compliance expert. Our continuous monitoring software and robust range of automated checks can help your company get SOC 2, HIPAA, or ISO 27001 compliance-ready fast — and also bolster your holistic security posture.