Penetration testing (also known as “pen testing” or “ethical hacking”) is an authorized, simulated attack on a company’s computer system, network, or web application with the goal of identifying vulnerabilities that an unethical attacker can exploit. Organizations willingly subject themselves to this test, conducted by a cybersecurity expert, to gain valuable information so that they can address weaknesses or vulnerabilities in their system.
During a pen test, an ethical hacker or pen tester will simulate an attack to enter your system. To get in, they may use social engineering attacks, SQL injections, brute force attacks, or even find public information about the organization and its systems. Once inside, they will move around the network and attempt to gain as much access at the most sensitive levels as possible. The pen tester will also determine how long it takes an internal security team to notice that they are in the network, and then will try to clear any trace that they have been in the system.
To prepare, you need to agree on the scope of the pen test. You may need to provide the pen tester with data about your system, provide them with an ID, and they may send you hardware that will be attached to the network to allow access to the network.
After the pen test, findings will be shared with management and the IT team. The findings should be used to address and remediate any vulnerabilities found in the system during the test. The test results are typically rated by severity, and it is always a good idea to close any critical, high, or severe findings as soon as possible.
A pen test should be performed at least annually or when one of the following occurs:
Some organizations with a small budget, and a fairly static environment and code base may have a case for a pen test every other year. However, there may be compliance or regulatory factors that may require annual testing.
A web search for pen test services will produce many results. Sometimes it is easier to get a referral from a friend or peer at a similar organization or even from an auditor. If you are a Strike Graph customer, we can provide you with a pen test. Before diving in, know your budget, what will be in scope and how soon you need the test performed. This information will help narrow your choices to one or two services. Then look for a service with a few certified pen testers on staff. In order to provide a report, the pen tester is required to have a certification from an organization like SANS or ISC2.
When not summarized in a report, results straight from a tool (like Nessus) can be confusing to interpret. Your pen tester will write a report that provides valuable information in a digestible format, and can be used to secure an organization’s valuable network and application assets. The report will summarize each finding, provide risk ratings, and prioritize recommendations on how to close each finding. The report can also lead to more secure development practices by raising awareness about the increasing need to create secure applications.
There are different types of pen testing methods that are used by ethical hackers. The depth of the test may be dictated by your budget, scope, or regulatory considerations. It comes down to what is being targeted and what is asked for. Applying a risk based approach when considering what to target can be helpful. For example, an increase in attack surface due to the addition of a new product or change in the network architecture may be a good time for a pen test.
Knowing a bit about the different approaches to pen testing may help in determining how deep a test to request:
The cost of penetration testing can run anywhere from $3,000 and up depending on the size of the network and what will be in scope. For a start up undergoing rapid product development, budget at least $10,000. With Strike Graph, we can provide you with a pen test.
A pen test simulates an outsider or hacker gaining access to the organization’s environment. The goal is to assess how security is managed within a system. Pen tests utilize a formal repeatable process to infiltrate, exploit and ultimately report on a target.
A vulnerability scan is a subset of pen test activities and is designed to test a network and related systems against a known set of common vulnerabilities. It is typical to run vulnerability scanning at a more frequent cadence than a pen test.
Both result in actionable items, however a pen test will simulate a ‘live’ threat or attack, whereas vulnerability scans look at the weaknesses already in your system. A well rounded security program will perform both types of tests.
Yes, you will need a pen test for your SOC 2 audit. As noted, there are a few different types of pen tests. If you are unsure which to get, ask your auditor to clarify. The following should always be in scope: Network services, web application, and client side. The following should be considered: wireless, social engineering, and physical penetration testing. In addition to a pen test, you may determine that periodic vulnerability scans will address your unique IT risks. Your auditor may also ask to see the results of your vulnerability scan.