Learn what types of penetration testing methods your business may need.
|By: Chad Horton|
Penetration Testing Manager
This post goes into the what, the why, and the how of penetration testing to help you determine what type is best for your business.
SEE ALSO: Different Types of Penetration Tests for Your Business Needs
What is a penetration test?To combat a hacker, you need to think like a hacker. Penetration testing is a form of ethical hacking that simulates attacks on an organization’s network and its systems. This is done to help businesses find exploitable vulnerabilities in their environment that could lead to data breaches.
A penetration test does NOT equal automated vulnerability scanners.The test is a manual process performed by experts that dive deeper into your environment than an automated vulnerability scan does. These experts especially look for the types of security issues that automated scanners struggle to detect.
SEE ALSO: Pentesting vs Vulnerability Scanning: What’s the Difference?
Why should my business get a penetration test?Most environments are designed, built, and maintained by employees that have little to no professional experience in security. A penetration test is performed by a security expert trained to identify and document issues that are present in an environment. The resulting report can give you the opportunity to remediate the issues before they have been exploited by a real attacker.
The PCI DSS also requires that businesses test security controls annually and perform segmentation checks every six months. Subsequent assessments on these controls should also be done after any major change has been made.
SEE ALSO: New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know
How are penetration tests performed?A penetration test can be broken into three steps:
The methodology of penetration testing is split into three types of testing: black-box assessment, white-box assessment, and gray-box assessment.
Type of Assessment
SEE ALSO: How Much Does a Pentest Cost?
Black Box assessment
This is when no background information is given to the testing analyst. The analyst can still perform the test but will dedicate a large amount of time to researching the environments and the organization.
- Most like what a real attacker would be required to do
- Requires little of the customer’s time to prepare information for the analyst
- Analyst has limited time, unlike a real attacker
- Likely not comprehensive
- More expensive
- Not recommended for PCI compliance
The analyst is given most, if not all, of the information pertaining to the environments, which means more time is dedicated to testing and exploitation. Depending on the type of test performed, this information could include network diagrams, data flow charts, the source code to the applications, server descriptions and configurations, and credentials to access all login panels.
- High level of accuracy and comprehensiveness
- Requires a significant time investment from customer to prepare the needed information for the analyst
- Most expensive
The analyst is given some information to aid in their research. This is a spectrum in between the two extremes. For example, the penetration tester could be provided authentication credentials to access all login panels but wouldn’t have the source code or diagrams to assist in the attack attempts. Gray-box testing is generally the most cost-effective approach to penetration testing.
- Most cost-effective
- The analyst can identify most of the same results as they would have during a white-box assessment
- Requires some of the customer’s time to prepare information for the analyst
When deciding what types of penetration test you should get, it all depends on your business environment. Make sure you understand your environment and your budget to help you decide what type of penetration test your business may need.
Need a penetration test? Talk to us!
Chad Horton has been the Penetration Testing Manager at SecurityMetrics for over five years. His responsibility includes managing a team of eight employees who conduct manual assessments of web applications and corporate networks. In addition, Horton is QSA, CISSP, and CompTIA Security+ certified, and has written numerous web application tools to assist in exploiting vulnerabilities.