Complete Guide to Pentesting

Penetration testing is a key cybersecurity best practice. Most organizations understand the need for it, but like many things in the industry, penetration testing can be a bit confusing. This blog covers penetration testing 101, helping to uncover the basics, explain the importance of penetration testing, show you how to perform these tests, dive into the different types of tests, and help you determine which test is right for you.

What is Penetration Testing?

For those dipping their toes into the world of penetration testing, penetration testing is the process of hacking into your own system and network to identify and expose as many vulnerabilities as you possibly can, from multiple vantage points.

Why is Penetration Testing Important?

Penetration testing is a mainstay in cybersecurity for several reasons. It is most commonly used to protect the organization and its assets, but it has a lot of other benefits as well. The top five reasons why penetration testing is important are:

  1. Protecting the organization and its assets from cyber attacks

  2. Protecting customer data

  3. Reducing cyber risk

  4. Satisfying stakeholder and compliance requirements

  5. Preserving the organization’s image and reputation

The fifth reason is especially interesting as it is an emerging priority. During an era of high-profile security breaches reported on the news such as Target, Equifax, and Marriott, even the least tech-savvy person can understand the importance of cybersecurity. We now live in a world where everybody has security in the back of their mind each time they swipe a credit card or input personal information online.

How Are Penetration Tests Performed?

There are several steps in the penetration testing process. Not all firms include each step, but in a good, crowdsourced process, you can expect these 13 stages:

  1. Scoping

  2. Information gathering/planning

  3. Pen tester matching

  4. Reconnaissance/discovery/scanning

  5. Vulnerability discovery and assessment

  6. Continuous analysis and review of findings

  7. Consolidation of findings for a final report

  8. Integration into SDLC for routing findings to development teams

  9. Remediation of findings and acceptance of risk for non-remediation

  10. Retesting of fixed vulnerabilities

  11. Exploitation

  12. Analysis, reporting, and review

  13. Clean up/tear down

There are generally four different ways of performing a penetration test. The first method is internal testing, which simulates the damage that employees could unknowingly make on your systems. The second method is external testing, which simulates the damage outside attacks could make on your visible DNS, web servers, email servers, and firewalls. Blind testing is a method that simulates how attackers get company information and attack, all without prior information before attacking. The final method, double-blind testing, simulates a real attack, meaning no information is given to the penetration tester and no notice is given widely within the organization

Pentesting Methodologies

Traditional Penetration Testing – This model comprises one or two testers working against a set methodology for a defined period, usually anywhere from three days to two weeks. Some pros of this method include it being an established budget line item, a known quantity, and best suited to targets that require physical presence to access/test. On the other hand, it is known to have delays in scheduling and results, to be inflexible with questionable skill fits, and not optimized to incentivize true risk reduction.

  1. Crowdsourced Security Penetration Testing – This model, although comparatively new, is rapidly growing, utilizing a large pool of remote, pay-per-project testers. Often combined with an incentivized ‘pay for results’ approach to billing, crowdsourced testing is quickly becoming the top choice for organizations seeking more from their security testing services. Crowdsourced pentesting offers a rapid setup and time to value, real-time results, and SDLC integration. However, it is not optimized for highly sensitive or physical targets too big to ship and the ‘bounty’ approach may not fit buying cycles.

  2. Internal Security Team – While often not feasible for smaller organizations, some enterprises prefer to build and maintain in-house teams of security testers. This approach allows the organization to maintain full control, setting its own testing schedule. This approach is best for extremely sensitive work, with little marginal cost to testing. Negatives to this approach include it being fairly labor-intensive to set up and maintain and it leaves organizations unable to retain all possible testing skills or to acquire new skills when needed.

  3. A Mixed Testing Approach – This is a combination of the above three methods to meet the specific needs of each project. This approach includes the best and worst aspects of each method, with the potential for thorough security coverage, but also a high cost and complex setup to maintain.

  4. So how often should you be performing penetration tests? Penetration testing should be performed regularly, at least 1-2 times per year. There is also a correlation between the type of testing you do and the frequency you perform penetration tests. 66% of organizations that use traditional penetration testing services test very infrequently, about once per year or less. By contrast, over half of organizations that use crowdsourced testing test at least quarterly. Organizations that test internally are the most frequent testers, with 60% testing at least quarterly.

Penetration testers are an incredible resource, but there aren’t enough in the industry for dozens of testers to work full-time at each organization. This leads to the current models for resourcing talent, such as working through traditional pen test firms and crowdsourcing experts.

How does Penetration Testing differ from Vulnerability Assessment?

Vulnerability AssessmentPenetration TestingVulnerability assessment is focused on detecting and categorizing vulnerabilities in a system.Penetration testing involves exploiting vulnerabilities to draw insights about them.It is a mostly automated process involving vulnerability scanning tools.Penetration testing requires manual intervention on top of automated scanning.It is almost impossible to achieve zero false positives with an automated vulnerability assessment.Manual penetration testers can ensure zero false positives.Vulnerability assessment often misses critical and complex vulnerabilities.Thanks to the human element of penetration testing, it detects business logic errors that remain undetected in a vulnerability scan.Automated vulnerability assessment takes significantly less time and money than pen testing.Penetration testing is a consuming and expensive procedure and for good reason

OFFENSIVE-SECURITY

:)

We use cookies to improve your experience and to help us understand how you use our site. Please refer to our cookie notice and privacy statement for more information regarding cookies and other third-party tracking that may be enabled.

Contacts us

Contacts us social media accounts

Facebook icon
Instagram icon
Twitter icon
YouTube icon
LinkedIn icon

offensive-security-institute

Report Abuse

Intuit Mailchimp logo