What area of your business would benefit the most from a penetration test? 

By: Chad Horton
Penetration Testing Manager
CISSP, QSA
Penetration testing is a form of ethical hacking that simulates attacks on a network and its systems. It goes beyond running an automated vulnerability scanner; the tests are performed by experts that dive deeper into your environment.

In a previous blog post, Types of Penetration Testing: The What, The Why, and The How, we discussed the different ways a penetration test can be performed: black-box, white-box, and gray-box. We also told you why it’s a good idea for a business to have penetration tests performed regularly.
So, what type of penetration test should you get for your business?
What areas should you focus on? There are several tests or activities that penetration tests include. Here are a few you may want to consider.

Network penetration test

The objective of a network penetration test is to identify security issues with the design, implementation, and maintenance of servers, workstations, and network services.

Commonly identified security issues include:
  • Misconfigured software, firewalls, and operating systems
  • Outdated software and operating systems
  • Insecure protocols
The remediation of commonly-identified security issues include:
  • Reconfigure software, firewalls, and operating systems
  • Install updates
  • Enable encryption or choose a more secure protocol
SEE ALSO: Configuring and Maintaining Your Firewall with SecurityMetrics Managed Firewall

Segmentation check

The objective of a segmentation check is to identify whether there is access into a secure network because of a misconfigured firewall.

Commonly-identified security issues include:
  • TCP access is allowed where it should not be
  • ICMP (ping) access is allowed where it should not be
The remediation of commonly-identified security issues are the same:
  • Reconfigure the segmentation control (firewall rules) to properly restrict access
SEE ALSO: New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know

Application penetration test

The objective of an application penetration test is to identify security issues resulting from insecure development practices in the design, coding, and publishing of the software.

Commonly-identified security issues include:
  • Injection vulnerabilities (SQL injection, Cross-site scripting, remote code execution, etc.)
  • Broken authentication (The log-in panel can be bypassed.)
  • Broken authorization (Low-level accounts can access high-level functionality.)
  • Improper error handling
The remediation of commonly-identified security issues include:
  • Re-design the authentication and authorization model
  • Recode the software
  • Disable remote viewing of errors meant for developers

Wireless penetration test

The objective of a wireless penetration test is to identify misconfigurations of authorized wireless infrastructure and the presence of unauthorized access points.

Commonly-identified security issues include:
  • Insecure wireless encryption standards
  • Weak encryption passphrase
  • Unsupported wireless technology
  • Rogue/open access points
The remediation of commonly-identified security issues include:
  • Update wireless protocol to an industry accepted protocol (WPA2)
  • Replace the insecure passphrase with a longer, more complicated one
  • Identify the open access point and disable it
SEE ALSO: Wireless Access Point Protection: Finding Rogue Wi-Fi Networks

Social engineering

The objective of a social engineering assessment is to identify employees that do not properly authenticate individuals, follow processes, or validate potentially dangerous technologies. Any of these methods could allow an attacker to take advantage of the employee and trick them into doing something they shouldn’t.

Commonly-identified issues include:
  • Employee(s) clicked on malicious emails
  • Employee(s) allowed unauthorized individuals onto the premises
  • Employee(s) connected a randomly discarded USB to their workstation
The remediation is always the same: training.

Because the intent of this assessment is to take advantage of the trusting nature of employees, this type of assessment should only be done after employees have completed a training course on defending against social engineering attacks.

SEE ALSO: Social Engineering Training: What Your Employees Should Know

Which type of penetration test is right for you?

For starters, choose the type of penetration test that focuses on the controls you are most concerned about:
  • Web application or API = application penetration test
  • Infrastructure = network penetration test (and possibly a wireless penetration test)
  • People = social engineering
If your objective is to obtain PCI compliance, at the very least, you’ll want to consider getting a network and an application penetration test.

Once you have an idea on the type of test you would like and how comprehensive you would like the results to be, you need to decide from which perspective you would like testing to be performed.

By making these decisions wisely, you can choose a penetration test that matches your business' needs and budget.

Need a penetration test? Talk to us!

Chad Horton has been the Penetration Testing Manager at SecurityMetrics for over five years. His responsibility includes managing a team of eight employees who conduct manual assessments of web applications and corporate networks. In addition, Horton is QSA, CISSP, and CompTIA Security+ certified, and has written numerous web application tools to assist in exploiting vulnerabilities.

SecurityMetrics Webinar, Web Application Penetration Testing 101