Share this
The Accessible Guide to Penetration Testing
by Reflare Research Team on Sep 7, 2022 7:43:00 PM
For years, penetration testing was viewed primarily as an activity for large and complex companies. Now that it is significantly more accessible, smart (and less sophisticated) businesses are baking it into their business-as-usual activities even as early as the point of their creation.
First Published 7th September 2022
One of our professional penetration testers, exploiting CVE-2021-44228, 2022. Colourized.
4 min read | Reflare Research Team
Pen testing for all
These days, it is hard to attend any tech event without people talking about their start-up. While it is always great to hear about their entrepreneurship journey and success stories, we often get security-related questions directed to us by these budding entrepreneurs. As many of these companies are in highly regulated industries, some of the most common questions (and misconceptions) thrown at us are related to penetration testing.
For many years, smaller organisations believed penetration testing was a) beyond their reach, and b) beyond their requirements. However, with the significant surge in 'digital transformation initiatives' for incumbent firms, and the seemingly unstoppable momentum of highly disruptive tech start-ups being launched, smart companies are implementing such testing earlier in the journeys.
Yet there are still many organisations that haven't given enough consideration to what it would look like if they brought penetration testing into their fold.
Subsequently, we decided to put together a list of the most frequent penetration testing questions we get. Though the list is not exhaustive, we hope it will answer the questions that some of our readers (that's you) may have.
What is penetration testing?
Penetration testing, also known as pen testing, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. Pen tests help identify what data may be exposed in an actual attack and can help you determine how to protect your systems against various types of attacks.
Why does my company need penetration testing?
There are many reasons why a company might need penetration testing. Some of the more common reasons include:
- to find and fix vulnerabilities in the system before an attacker can exploit them,
- to assess the effectiveness of the current security measures, or
- to test the security team's response in the event of an attack.
What is ISO 27001, and what does it have to do with penetration testing?
ISO 27001 is an international standard that describes best practices for an information security management system (ISMS), which is a systematic approach to managing sensitive company information to remain secure. It includes people, processes, and technology. Penetration testing is often performed as part of an ISO 27001 compliance program.
What are the differences between penetration testing and vulnerability assessment?
There are a few critical differences between penetration testing and vulnerability assessment.
Firstly, vulnerability assessment is typically carried out using automated tools, whereas penetration testing is carried out manually by experienced security testers.
Secondly, vulnerability assessment focuses on identifying vulnerabilities within a system, whereas penetration testing also includes exploiting these vulnerabilities to assess the system's security.
Finally, penetration testing is generally more expensive and time-consuming than vulnerability assessment.
You should perform both a vulnerability assessment and penetration testing to ensure the security of your system. A vulnerability assessment will identify potential security risks and vulnerabilities, while a penetration test will attempt to exploit those vulnerabilities to determine whether or not your system is vulnerable.
Should we get our engineers to perform the penetration testing or hire a third party?
There are pros and cons to both internal and third-party penetration testing. Internal penetration testing may be less expensive, but it may also be less effective. Internal testers may be familiar with the organisation's systems and procedures and may not be as objective as third-party testers.
Third-party penetration testing may be more expensive, but it may also be more effective. Third-party testers are more likely to be objective and have more expertise in penetration testing than internal testers.
We keep hearing about penetration testing scope, but what do people mean by that, and why is it important?
A penetration testing scope is the range of systems and applications that will be tested for vulnerabilities. The scope will typically be defined by the organisation requesting the penetration test.
Having a scope is necessary to define the test's parameters and ensure that all stakeholders know what is being tested. Without a scope, it would be difficult to determine which systems and applications are in scope for testing and which are out of scope.
This could lead to vulnerabilities being missed during the penetration test or systems and applications outside of the scope being tested, which could cause disruptions to business operations.
Can we perform penetration testing against our AWS infrastructure?
Yes, you can perform penetration testing against your AWS infrastructure. However, it is worth reviewing their pen testing terms and conditions before doing so to ensure that their systems and customers are not adversely affected, and that you (and your tester) will abide by their penetration testing policy.
What do we need to consider before hiring a third party?
There are a few things you should consider before hiring a third-party penetration tester:
Insurance.
Make sure the tester has liability insurance. This will protect you in case something goes wrong during the testing process.
Knowledge.
Make sure the tester has a good understanding of your network and systems. The tester should be able to provide a detailed report of their findings.
Confidentiality.
Ensure the tester is willing to sign a non-disclosure agreement (NDA). This will protect your company's confidential information.
What does a penetration testing process typically look like?
The process of penetration testing typically includes four steps:
Information gathering.
Here, the tester attempts to gather as much information as possible about the target system. This may include active reconnaissance (e.g., port scanning) or passive reconnaissance (e.g., reviewing public information about the target system).
Vulnerability identification.
In this step, the tester identifies potential vulnerabilities in the target system. This may be done manually or by using automated tools.
Exploitation.
This is where the tester exploits the identified vulnerabilities to gain access to the target system.
Reporting.
In this step, the tester provides a detailed report of the findings, including any vulnerabilities exploited and any sensitive data accessed.
What should we include in our penetration testing contract agreement?
In your penetration testing contract agreement, you should include:
The scope of the engagement.
This should include what systems will be tested, the types of tests that will be performed, and the time frame for the engagement.
The level of access.
Work with your team to establish the penetration tester's level of access to the systems under the test scope. This should be clearly defined to avoid any misunderstanding.
The expectation for deliverables.
Spend time predefining spicific deliverables details you want the penetration tester to provide. This should include a report of the findings and any recommendations for remediation.
The confidentiality agreement.
This should stipulate that the penetration tester will not disclose any information about the systems under test without prior written consent.
The terms and conditions of the engagement.
Ensure you consult your governance and compliance departments for their input. This should include the payment terms and any other relevant legal agreements.
What should we expect to be included in a penetration testing report?
A penetration testing report should include an executive summary, a list of findings, and a list of recommendations. The executive summary should provide an overview of the findings and recommendations. The list of findings should detail the vulnerabilities found, and the list of recommendations should guide how to remediate the vulnerabilities.
However, it would be best if you didn't lose sight of the fact that your penetration test report only points out your weaknesses at a single point in time. You are also responsible for proactively staying up to speed on emerging trends and analysis in cybersecurity.
Consider subscribing to our research newsletter to have our latest insights delivered lovingly to your inbox.
Additionally, you can explore some of our related articles to learn more.
Share this
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)