With threats evolving at a rapid rate, it’s important to continually assess your organisation’s cyber security.
Penetration testing is a key way to identify gaps in your organisation’s defences, but with many different types of penetration testing available, it can be difficult to know which to choose.
This guide will help you select the right test for your business and understand the information required by a pen test provider to scope and price any potential engagement.
Pen Testing – the basics
A penetration test is an ethical cyber security assessment that identifies, safely exploits and helps to eliminate vulnerabilities across an IT environment in order to mitigate cyber security risk.
It is recommended that all organisations commission a pen test at least once a year, with additional tests in the event of significant infrastructure changes, new application or product launches, mergers and acquisitions, or as part of compliance preparations.
Choosing the right pen test
The types of penetration testing available to your business are numerous. The factors below should be considered when searching for the right pen test.
Before choosing a type of penetration test it’s important to first establish what exactly you hope to achieve. It may be that you want to test a particular system or application for vulnerabilities, simulate a real-life cyber-attack to assess detection and response capabilities or replicate a specific attack scenario, such an insider threat.
It’s important to focus your security budget on the right areas in order to maximise potential benefits. If you only have the budget for a two-day assessment, for example, it makes sense to focus testers’ attention on the areas at greatest risk.
Compliance regulations may dictate the types of penetration test that your business needs. For example, for PCI DSS compliance, organisations that process card payments must undertake internal and external pen testing to assess the security of the cardholder data environment.
Types of penetration testing
The list below outlines the most popular penetration testing types as well as the information commonly requested by pen test providers to help scope an assessment. Pen tests vary in focus, duration, depth and secrecy, so it’s important to ensure that any details supplied are correct in order to receive an accurate quotation.
Network Penetration Testing
An assessment of internal and external network infrastructure designed to test on-premise and cloud networks, firewalls, system hosts, and devices such as routers and switches.
Information required to scope a network pen test:
• Number of external IPs to be tested and number of those that are live
• Number of internal IPs and internal hosts to be tested
• Subnet size of network(s)
• Number of physical locations
Wireless Penetration Testing
A test of an organisation’s wireless local area network (WLAN) and/or wireless protocols, including Bluetooth, ZigBee and Z-Wave. Helps to identify rogue access points, weaknesses in encryption and WPA vulnerabilities.
Information required to scope a wireless pen test:
• Number of wireless networks to be tested
• Whether guest WiFi is included
• Number and locations of sites
• Number of unique SSIDs
Web Application Testing
A test of websites and custom web applications delivered over the internet, seeking to identify issues resulting from weaknesses in design, coding and development practices.
Information required to scope a web app test:
• Number and type of web applications to be tested
• Whether test will be authenticated
• Preference for onsite or remote testing
• Number of static and dynamic pages
• Number of user input fields
Mobile Application Testing
Testing of mobile applications across mobile operating systems such including Android, iOS, Windows and Blackberry, to identify issues with authentication, authorisation, data leakage and session handling.
Information required to scope a mobile app test:
• Number and type of mobile apps to be tested
• Operating system eg. iOS, Android, Windows, BlackBerry
• Minimum version of operating system required to run application(s)
• Whether app communicates with a server and number of API calls
• Requirements for jailbreak/root detection bypass testing
Build and Configuration Review
Review of network builds and configurations to identify misconfigurations across web and app servers, routers and firewalls.
Information required to scope a build and configuration review:
• Number and location of build(s) in question
• Operating system eg. Windows, Linux, Unix
• Number of application servers/services to be reviewed alongside build
• Possibilities for providing remote access
Another decision you will have to make when deciding on the type of penetration test you require is whether it will be a whitebox or blackbox test.
Whitebox testing is an approach whereby information about target networks and/or systems are shared with ethical hackers prior to an engagement. This may include, where appropriate, application source code, infrastructure details, network diagrams or additional developer insight.
In contrast, under the conditions of a blackbox test, ethical hackers are given no prior information about the environment to be tested so need to conduct reconnaissance in order to gather their own intelligence.
The whitebox approach helps to maximise testing time but a blackbox test is a more accurate representation of a real attack scenario, and thus preferred by organisations looking to mimic the approach of a genuine adversary.
Choosing a pen test provider
When looking to commission a pen test, it’s important to look for a provider with the necessary expertise to not only detect a wide range of vulnerabilities, but also provide the assistance you need to remediate them.
Redscan’s CREST STAR, CRT, CCT INF and CCT APP accredited pen testers can be trusted to provide the deep, broad and balanced programmes capable of uncovering and helping to address complex vulnerabilities across your internal and external infrastructure, wireless networks, web apps, mobile apps, network builds and configurations and more.
Our award-winning pen test services include complete post-test care, actionable outputs, prioritised remediation guidance and strategic security advice to help you make long term improvements to your organisation’s cyber security posture.