Penetration testing is a service where your external and internal resources are tested for security flaws. By assessing your external and internal risk, your organization can quickly identify remediation steps and any areas for improvement. A penetration test can be completed multiple ways but requires qualified expertise with accessible resources to be beneficial. Below, we’ll evaluate penetration testing criteria through assessing resourcing and methodology, while also seeing the different types of services and associated costs.
Steps to conducting a Penetration Test
The penetration test will generally follow the high-level steps below. The thoroughness of the testing will vary according to the skills of the tester, but the overall methodology should look the same.
1 Information Gathering
- Identify restricted hosts (i.e., systems and devices not to be tested)
- Perform reconnaissance on target infrastructure via social media (e.g., LinkedIn, Facebook)
- Execute user enumeration to identify valid user accounts
- Conduct Google Hacking to identify potentially exposed infrastructure
- Harvest compromised password databases to assist with password profiling and password reuse attacks
2 Discovery and Vulnerability Scanning
2.1 Infrastructure Security Testing
- Perform comprehensive port scanning, fingerprinting of services and applications
- Use automated scanning tools & technologies to identify publicly known operating system and application vulnerabilities (Network-based or Authenticated Scans)
- Manual validation of findings, removing false-positive items and low-confidence findings where applicable
- Manual vulnerability testing using commercial and/or custom tools
2.2 Application Security Testing
- Comprehensive mapping & manual crawling of the web applications to ensure coverage
- Automated discovery of vulnerabilities using various commercial grade tools
- Manual validation of automated security testing results
- Manual testing for hard to find vulnerabilities including but not limited to: business logic, session handling, file upload functions, race conditions, hash-length extension, bit flipping attacks and authorization flaws
- Comprehensive coverage of PCI-DSS 6.5, OWASP Top 10:2017 and Sans Top 25.
3 Application and Network Layer Penetration Testing
- Exploit vulnerabilities on affected hosts utilizing penetration-testing tools and manual testing techniques
- Attempt to escalate privileges and/or gain unauthorized access
- Attempt to pivot from compromised systems to other internal systems
Choosing a Penetration Testing service
Depending on the purpose of the penetration testing (compliance or for customer confidence), you may choose to complete testing in-house or utilize an external third party. If you depend on in-house skills, you should ensure the tester holds equal or higher qualifications than the external third party to ensure no risks are missed.
If you choose a third-party, you should validate their qualifications to ensure you’re receiving the most value for your investment.
Types of Penetration Tests
There are three different types of penetration tests offered. Each vary in information provided by the organization to the tester. With more information offered, less time is required for the tester which results in lower costs.
- Black box – no access to any information about the environment
- Grey box – high level information provided
- White box – complete open access to the environment
For more information on the three types, please read our Black-Box vs Grey-Box vs White-Box Penetration Testing article.
Cost of a Penetration Test
The cost of a penetration test can differ dramatically depending on the type chosen, the scope (e.g., how many assets are being tested), and the methodology (the thoroughness of the testing). In total, there are 7 factors that affect the cost of a penetration test. If you’re looking for a quote, reach out to a prospective third-party penetration testing company and provide them with the following details:
- Number of assets (IPs) to be tested (internal and external depending on requirements)
- Number of web applications and their corresponding page account. Providing a demo account is usually enough for a vendor to login and assess requirements. If you can’t provide a demo, screenshots will also suffice
- The number of roles for the web application. If you have an admin role and a user role, that would be two roles
We hope the information above educated you in the penetration testing process. If you have any additional questions, you can visit our Penetration Testing frequently asked questions blog, or book a meeting with us to learn more about how we can help.