Strike Graph security compliance blog

Pen test FAQs

Written by Kenneth Webb, CISSP, GWAPT, CSSLP, CISA, CIS LA | Apr 20, 2021 7:00:00 AM

Penetration testing (also known as  “pen testing” or “ethical hacking”) is an authorized, simulated attack on a company’s computer system, network, or web application with the goal of  identifying vulnerabilities that an unethical attacker can exploit. Organizations willingly subject themselves to this test, conducted by a cybersecurity expert, to gain valuable information so that they can address weaknesses or vulnerabilities in their system. 

What happens during a pen test? Do I need to prepare?

During a pen test, an ethical hacker or pen tester will simulate an attack to enter your system. To get in, they may use social engineering attacks, SQL injections, brute force attacks, or even find public information about the organization and its systems. Once inside, they will move around the network and attempt to gain as much access at the most sensitive levels as possible. The pen tester will also determine how long it takes an internal security team to notice that they are in the network, and then will try to clear any trace that they have been in the system.

To prepare, you need to agree on the scope of the pen test. You may need to provide the pen tester with data about your system, provide them with an ID, and they may send you hardware that will be attached to the network to allow access to the network. 

After the pen test, findings will be shared with management and the IT team. The findings should be used to address and remediate any vulnerabilities found in the system during the test. The test results are typically rated by severity, and it is always a good idea to close any critical, high, or severe findings as soon as possible.  

A pen test should be performed at least annually or when one of the following occurs:

  • The addition or or significant change to infrastructure or applications
  • The modification of end-user access policies (permissions or roles)

Some organizations with a small budget, and a fairly static environment and code base may have a case for a pen test every other year. However, there may be compliance or regulatory factors that may require annual testing. 

How do I find a pen tester? Does a pen tester need to be ‘certified’?

A web search for pen test services will produce many results. Sometimes it is easier to get a referral from a friend or peer at a similar organization or even from an auditor. If you are a Strike Graph customer, we can provide you with a pen test. Before diving in, know your budget, what will be in scope and how soon you need the test performed. This information will help narrow your choices to one or two services. Then look for a service with a few certified pen testers on staff. In order to provide a report, the pen tester is required to have a certification from an organization like SANS or ISC2.

When not summarized in a report, results straight from a tool (like Nessus) can be confusing to interpret. Your pen tester will write a report that provides valuable information in a digestible format, and can be used to secure an organization’s valuable network and application assets. The report will summarize each finding, provide risk ratings, and prioritize recommendations on how to close each finding. The report can also lead to more secure development practices by raising awareness about the increasing need to create secure applications. 

How do I know what kind of pen test to get? 

There are different types of pen testing methods that are used by ethical hackers. The depth of the test may be dictated by your budget, scope, or regulatory considerations. It comes down to what is being targeted and what is asked for. Applying a risk based approach when considering what to target can be helpful. For example, an increase in attack surface due to the addition of a new product or change in the network architecture may be a good time for a pen test.

Knowing a bit about the different approaches to pen testing may help in determining how deep a test to request:

  • Black Box - The pen tester has no knowledge of the system and goes in blind.  This type of testing can be very time consuming and is like a trial and error approach. This type of pen test is typical for SOC 2 or other audits.
  • White box - The pen tester has full knowledge of the system and can gain more access because instead of guessing where to look for vulnerabilities, they can go straight to an app or area of a network. This is usually an internal pen test
  • Gray box - The pen tester has some knowledge of the system and uses this to gain more and more access. This test is also typical for a SOC 2.

How much does a pen test cost?

The cost of penetration testing can run anywhere from $3,000 and up depending on the size of the network and what will be in scope. For a start up undergoing rapid product development, budget at least $10,000. With Strike Graph, we can provide you with a pen test. 

Is a pen test the same as a vulnerability scan? Do I need both?

A pen test simulates an outsider or hacker gaining access to the organization’s environment. The goal is to assess how security is managed within a system. Pen tests utilize a formal repeatable process to infiltrate, exploit and ultimately report on a target.

A vulnerability scan is a subset of pen test activities and is designed to test a network and related systems against a known set of common vulnerabilities. It is typical to run vulnerability scanning at a more frequent cadence than a pen test.

Both result in actionable items, however a pen test will simulate a ‘live’ threat or attack, whereas vulnerability scans look at the weaknesses already in your system. A well rounded security program will perform both types of tests.

Will my SOC 2 audit require a pen test?

Yes, you will need a pen test for your SOC 2 audit. As noted, there are a few different types of pen tests. If you are unsure which to get, ask your auditor to clarify. The following should always be in scope: Network services, web application, and client side. The following should be considered: wireless, social engineering, and physical penetration testing. In addition to a pen test, you may determine that periodic vulnerability scans will address your unique IT risks. Your auditor may also ask to see the results of your vulnerability scan.