Penetration testing 101
What is a penetration test?
A penetration test is an authorized assessment conducted by highly specialized third-party security experts to discover and report on vulnerabilities and attack paths in your networks, systems, and applications. Penetration testers use hacker tools but for good cause.
A company will need to remediate the high-risk findings as soon as reported by penetration testers to reduce the attack surface before the hackers exploit them.
Penetration testing is required to meet auditors' requirements by most security certifications like ISO 27001 or attestations like SOC2 and to comply with cybersecurity and privacy-related laws of the land like HIPAA or industry-specific regulations like PCI.
Why do you need a penetration test?
Your company's internet-facing assets are getting hit with thousands of malicious connection requests as you read this blog post. Don't believe me? Ask your WAF provider to show you a recent report of blocked IPs trying to scan your website.
Though you may assume “it cannot happen to me” or that your business is too small to be an attractive target to bad actors, this type of thinking can pose big risks. Hackers take the path of least resistance - choosing to go after unlikely targets like suppliers and service companies than after large enterprises with an army of security forces, and they are motivated by a variety of reasons - from profit, activism, espionage, revenge, identity theft, IP theft, or just plain disruption and denial of service.
Below are a few reasons why you may want to consider a penetration test -
Protect Your Valuable Product & Customers : You're in business to earn customers' trust and serve them. You have raised millions to build something great. You're responsible for protecting your product and your customer data and identities even if you have your application deployed in the cloud based on a shared responsibility model. Customers may ask for you to provide evidence of an annual third-party penetration test as part of their procurement, legal, and security due diligence.
Protect Your Data: If you're storing any PII/ PHI/PCI data in your environment and if you fail to protect the security and privacy of your customers' data, you're subject to steep monetary penalties by legal and regulatory oversight authorities in your industry. According to the Dark Web Market Price Index published in 2021, everything from credit cards, PayPal accounts, crypto accounts, social media accounts, streaming accounts, forged IDs and documents, email dumps fetch prices ranging from $50 to $4,000 per item. Regular penetration tests can discover misconfigurations, weak encryptions, known vulnerabilities, default credentials, and sensitive data inadvertently exposed by your APIs, applications and data stores.
Continuous Security Validation: Penetration testing can verify if your security tools such as WAF or Email Filters are working as advertised. It can also identify any changes, for better or worse, to your company’s security posture as your business activities, users, employees, partners, and competitors continuously change.
Meet Compliance Requirements: A penetration test report or letter of attestation from a penetration tester is often required by your regulators, insurance companies, and clients' vendor management to assure that you have a good threat and vulnerability management practice in place.
Achieve and maintain security certifications and attestations: A penetration test is required by SOC 2 and ISO 27001 auditors to confirm the evidence of a mature threat and vulnerability management practice.
SOC 2 compliance requirements directly mention the use of penetration testing or similar techniques to identify vulnerabilities in the company’s systems – which is why most auditors require a penetration test as part of the SOC 2 process.
CC4.1 – Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certifications made against established specifications (for example, ISO certifications), and internal audit assessments.
CC7.1 – The entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
ISO 27001 requires that a company prevent the exploitation of technical vulnerabilities. Performing vulnerability scanning and assessment on your network and applications may identify vulnerabilities with false positives or generic CVSS scores. Therefore, it’s important to combine vulnerability tools' scanning results with a third-party manual penetration test to provide accurate evidence to your auditor on the following requirement.
A.12.6.1 – Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
Types of penetration tests
There are 2 ways to think about penetration tests:
- Testing for external hacking attacks
- Testing for insider threats
Blackbox: The penetration tester will not ask for any test accounts or authentication to your applications and infrastructure components ( databases or servers). The penetration tester will attack the externally facing systems without much knowledge of the systems using public breach databases or using social logins (if present)and try to exploit any externally facing vulnerabilities, misconfigurations, and defaults. These are quick and low-cost tests.
Whitebox: You will provision test accounts and allow the penetration tester to conduct authenticated manual testing of vulnerabilities. These tests would cover internally facing risks and provide maximum assurance. They are also time-consuming and expensive.
You may choose the attack vectors you'd like the penetration testers to test for vulnerabilities.
- Network: You provide a range of IP addresses and active hosts within that range.
- Applications: You provide production URLs and any subdomains to test for web apps or binaries /devices /links for mobile applications or demo/test versions of the applications that mimic production apps and environment.
- APIs: You provide # of API endpoints and # of calls
- Physical: On-site attacks to access physical network devices, and wireless access points.
- People: You may or may not provide a list of target emails. Penetration testers can research social media and various open-source intelligence sources to identify target lists, buy domains that look like yours, and set up servers in the cloud to bypass your email filters and deliver phishing links to your target users and take control of their machines.
- Cloud: Penetration testers will try to exploit cloud-based services, serverless functions, containers, SQL/no-sql stores, APIs, and consoles to attack your applications.
- IOT devices: any hardware device with an IP address is a target. If these devices are set up with default credentials, they can be an easy target of an attack.
Process and time commitment
Most penetration testing companies generally follow the process below:
- Scoping call to get a quote
- Sign SOW and NDA/MSA
- Kick-off Test
- Information Gathering
- Vulnerability Scanning
- Preliminary Reporting
- Report review call
- Remediation/ Retest
- Final Report
The time commitment for this process depends on the type of penetration test you are pursuing.
If it's a black box test with no authentication, the tester may be able to finish most of the work without much involvement from your team during the testing period.
A whitebox test may take some involvement during the test. If you have a large and complex network and access provisioning process, or if you have a complex procurement and legal contract review process, it may take more time on your part to engage a third-party penetration tester.
For most penetration testing companies, it takes one to four weeks to complete a penetration test depending on the size and scope of the attack vectors.
While the test itself may not take much of your time, you should allocate enough time to fix vulnerabilities that the penetration test uncovers. Typical remediation cycles can take 90-180 days depending on the availability of your resources.
It’s important that you budget enough time for these considerations - as well as some additional lead time as penetration test companies may not be able to start your test right away.
How often do you need a penetration test?
Most Auditors if not client vendor risk managers will require that you conduct a third party penetration test twice if not at least once a year. You should choose your penetration test partner who can accommodate penetration tests at regular intervals for an affordable price. The penetration test must be completed before the end of your SOC 2 observation period in order to be included in your control matrix.
How much does a penetration test cost?
The cost of a penetration test can vary depending on the size of your apps, the number of attack vectors, and the type of test you choose. You will have to go through a scoping exercise to get an accurate quote. It can also depend on the penetration testing company's rate card. Large penetration testing companies and higher rates do not necessarily mean that you are getting top-quality results and attention. Typically these tests start at $5,000 and can go up to $15,000 depending on the scope and who you are talking to.
Your penetration testing partner should match your expectations and below is a guideline you can follow to find your match.
How to choose a penetration testing company:
Anyone with an internet connection and some hacking tools can hit your systems but here are some things to consider when evaluating a “security partner”:
- Look for a CREST accredited partner: CREST is the only international certification authority that audits and approves penetration testing organizations for their methodologies, processes, and client data handling practices.
- Look for testers' certifications: You may ask for the profile of the tester touching your systems and data. You should be looking for hands-on lab-based certs like OSCP, CRTP, OSCE, GXPN, GPEN, GWAPT, GAWN, GCIH, GCFA, GMOB, GCIA, GSEC, etc.
- Get a clear Statement of Work: The SOW should clearly state what's included, and what's not included in the test. It should have clear timelines for deliverables. Ideally, you should choose a penetration testing company with an all-inclusive fixed price. For those who wish to pay on a time and expense basis, know that pre-test research, set up, and post-test remediation tests paid on an hourly basis can quickly add up. The SOW should include an escalation and remediation process and contacts in case the testing impacts your services.
- Risk Analysis: The penetration testing company shouldn't just hand you a list of vulnerabilities without any business impact analysis to reflect the reality of the risks facing your organization. They should be flexible to accommodate your risk appetite and decision to accept or not accept risks.
- Insurance Requirements: Make sure they have adequate insurance to cover any professional liability due to penetration testing activities.
- Report Quality: Experienced auditors and vendor risk managers can challenge the validity of a penetration test done by inexperienced testers. If the testers do not follow industry best practices and methodologies, your report will not support legal liability and forensic cases.
Penetration testing will help secure new clients, protect your business assets, prevent financial frauds, and help you avoid fines for non-compliance. Penetration testing fulfills multiple purposes in a company’s risk management strategy.
About Prescient Security
Prescient Security is a global top 20 penetration testing company based in New York City, offering expert Security Reviews and Security Testing Services to financial, healthcare, and Hitech clients. Prescient Security is a CREST certified security testing organization and adheres to the highest safety and security standards for handling client data. We offer Vulnerability Scanning, Continuous and Automated Penetration Testing as a Service, Agile Web App Security Testing, Red/Blue/Purple Teaming, Cloud Security Assessment, Soc2/HIPAA/CSA Star Audit, BCP/DR/IR Testing, Virtual/Fractional CISO, and Security Staffing. Our mission is to achieve quantifiable risk remediation and return for every dollar you invest in security. For more information on our partnership with Vanta, please visit https://prescientsecurity.com/vanta.
Vanta is your automated security and compliance expert. Our continuous monitoring software and robust range of automated checks can help your company get SOC 2, HIPAA, or ISO 27001 compliance-ready fast — and also bolster your holistic security posture.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC