If this is your first time purchasing or even encountering the field of penetration testing or going through the penetration testing process, you are probably filled with questions and want to make sure you understand what you are purchasing. A lot of the terms and vocabulary used in the penetration testing field can be daunting. So here, we are going to go a little bit more in depth on what some of these terms mean to make sure you, as a customer, completely understand what you are purchasing and what exactly will occuring during the penetration test you purchase from us. We also want to demystify some common misconceptions as well as clarify any possible confusions that may occur whilst reading through the content on our website. So here are some frequently asked questions.
Why should I purchase a penetration test?
The average amount of money lost as a result of a data breach is roughly $6.75 million dollars. Recovering from a loss of that much money is almost impossible for small to medium sized businesses, thus elevating the importance of insuring your system’s security. A penetration test will uncover flaws in the systems vital to your business’s operation before a malicious adversary does.
What is a penetration test?
A penetration test is, in essence, a simulation of a malicious attack. This simulation is performed by information security experts that are qualified in the field. A penetration test’s objective is to attempt to find exploitable flaws and vulnerabilities in your company’s infrastructure before an attacker takes advantage of those flaws for malicious purposes.
What is the difference between a vulnerability scan/assessment and a penetration test?
There is a common misconception that a vulnerability scan and assessment is the same thing as a penetration test. This is totally false. A vulnerability scan and assessment will cover a very broad surface. It will search your network for as many exploitable flaws in your systems, including outdated software, unpatched systems, etc. This will give you a good idea of what needs to be fixed on your systems, but it will not show the possible impact of exploitation, as no exploitation will be taking place.
During a penetration test, we will find a vulnerability, and take it to the furthest extent that we can. We will exploit these vulnerabilities and see how deep into the network we can get to show the possible impact and destruction a targeted attack on your company could have. For more information on the differences between a pentest and a vulnerability scan, click here: Pentest vs. Vulnscan
What are the qualifications of a penetration tester?
When looking for a penetration tester, you want to make sure that the people you are employing are Offensive Security Certified Professionals (OSCP) or GIAC Certified Penetration Testers (GPEN) at the minimum. Other offensive style certifications demonstrate higher skill levels, (OSCE, OSWP, GXPN) of which, our team has several of the listed certifications. You will also want to ask what tools are being used during the penetration test to make sure you are getting the best possible service along with the state-of-the-art software that should always be used during a penetration test.
What is the difference between a white box and a black box penetration test?
A white box penetration test is where the client provides us with the design of the infrastructure and target information in order to give us a better idea of what to attack. This allows us to conduct a more precise attack against the design and infrastructure of the company and it’s network. A black box penetration test is where no information is given to us and we are essentially simulating an attack the way a malicious adversary would. This gives the client an opportunity to test its defenses and find out what could really happen if they were the target of an attack. Then, there are gray box tests where we are given some information about our targets, which in our opinion is the best route for a penetration test if you are trying to simulate a truly targeted attack that has been funded.
Why should not only the network perimeter be tested, but also the internal network?
If your company’s network is sufficiently hardened at the perimeter systems and it was not possible to successfully compromise it during a perimeter test, it still makes sense to additionally conduct an internal test. Just because the perimeter systems are sufficiently secured, it does not mean that the same precautions are taken on the internal network. Most of the time, too little security is done on the internal network, as it is supposedly only accessible by trustworthy persons. Especially in larger corporations though, not every employee needs the same access permissions. The intern does not need to have the same access level as the CEO. It is therefore a severe problem if a security vulnerability appearing in the future that allows access to the internal network eliminates all safety precautions. If the financial incentive is big enough, it should also not be a problem for attackers (competitors, business rivals) to either bribe one of your staff members or infiltrate your organization with somebody reporting back to them with all the data that is supposedly well guarded if seen from the outside.
So what should I do?
If you have any sorts of questions or concerns about the material you just read, or even just want to be on the safe side, please give us a call at (706) 972-7703. We will be more than happy to assist.