1. What is Penetration Testing?
A penetration test is an authorized effort to simulate an attack on an information system, generally a computer network and/or application(s). Penetration testing replicates a real-world attack and demonstrates the effectiveness of an organization’s security measures in preventing or reducing the likelihood of a security breach.
Traditionally, a penetration test is performed through a combination of tools and manual efforts and culminates in a report detailing identified vulnerabilities and recommendations to shore up the identified vulnerabilities.
2. What are the types of penetration tests?
There are many different types of penetration tests, but the most prominent types are:
External Network Penetration Test: A test from outside the network, attempting to gain unauthorized access into a network. This effort includes attempting to circumvent security measures to exploit vulnerabilities identified in internet-facing IP addresses.
Internal Network Penetration Test: a test from within a network, whereby an authenticated user attempts to circumvent internal security controls to gain access into restricted parts of the internal network.
Web Application Penetration: Efforts to test web applications through black-box (limited knowledge), gray-box (some knowledge), and/or white-box (full knowledge) techniques.
Generally, the intent of a web application penetration test is to test the security of a browser-based application and includes efforts to gain access to sensitive and protected data types, test the efficacy of the software development lifecycle (SDLC), elevate privileges, and gain unauthorized access horizontally into other restricted components of the application.
Mobile Application Penetration Testing: Similar to web applications, mobile applications are also susceptible to compromise. Leveraging techniques similar to web applications, mobile application testing is intended to ensure the effectiveness of the security controls deployed across the application, as well as test the effectiveness of the organization’s SDLC and associated practices.
API Testing: Increasingly, application programming interfaces (APIs) are used to allow disparate applications and other pieces of software to connect with one another, and this intermediary should be tested to ensure neither application is introducing security vulnerabilities to the other. APIs are also commonly used as the engine for many web applications but retain their own sets of challenges and best practices.
Network Segmentation Testing: Increasingly, organizations are segmenting their networks to improve performance, increase security, and to reduce the size and complexity of the network(s) subject to regulatory or legal compliance obligations (PCI DSS is the most common one). Network segmentation testing is intended to ensure that segmentation has been effectively deployed and, in many cases, is compliant with regulatory standards and frameworks.
3. Why would I conduct a penetration test?
Penetration testing is a best-practice for organizations managing networks and/or applications.
Some compliance frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS) explicitly require penetration testing to be conducted at least annually, and after any significant changes to the network and/or application environment. Last, many b2b service provider organizations are required by their customers to demonstrate they have an effective vulnerability management program by including the performance of regular penetration testing.
4. Who performs penetration testing?
Generally, organizations leverage third-party security consulting services firms such as risk3sixty to perform their penetration testing.
To ensure the penetration testing is sufficient, it’s important to leverage qualified staff, which generally means individuals that are both trained and have first-hand experience with penetration testing. Similarly, it’s important that the individual or team that conducts the penetration test is in no way responsible for the development or operation of the network or applications subject to the testing.
This ensures there are no conflicts of interest, and that independence can not be called into question.
5. How much does Penetration Testing cost?
Very tricky to provide estimates, as there is a distinct level-of-effort between network and application penetration testing, and no two networks or applications are identical. Similarly, you will find, no two vendors apply the same level-of-effort and fee structure to a network or application penetration test, which makes selecting your penetration testing partner a difficult endeavor.
That being said, at risk3sixty a traditional network penetration test of a simple-to-moderate scope is between $8,000 – $13,000, and web application penetration of a simple-to-moderate scope is between $8,000 – $16,000 for a single application.