What Is Pentesting?
Pentesting (or penetration testing) is a type of cybersecurity test that identifies vulnerabilities, threats, and risks in networks, systems, and applications. While vulnerability scanning attempts to identify known vulnerabilities, a penetration test (or pen test) is intended to exploit the weaknesses to gain full situational awareness when it comes to cybersecurity including organizational risk, threats, vulnerabilities, and potential business impact.
Why Do I Need A Penetration Test?
Pentesting is one of the best security practices that you can take.
Pentesting can evaluate your security controls and provide you with recommendations to enhance your overall security posture. Pentesting can include real-world security tests using advanced hacking methods to help you identify your weaknesses and improve your security posture. Advanced penetration tests can also simulate attacks on your network using similar techniques as malicious attackers to see if you can identify active attacks!
Pentesting Compliance Requirements
Pentesting is required for regulatory and compliance standards including:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley (SOX)
- General Data Protection Regulation (GDPR)
- Gramm-Leach-Bliley Act (GLBA)
- Federal Risk and Authorization Management Program (FedRAMP)
- Federal Financial Institutions Examination Council (FFIEC)
- International Organization for Standardization (ISO)
- Federal Information Security Management Act (FISMA)
- National Institute of Standards and Technology (NIST)
- HITRUST
PCI DSS Annual Pentesting
PCI DSS requires that you perform external pentesting and internal pentesting annually.
PCI DSS Significant Change Pentesting
PCI DSS requires that you perform pentesting after significant changes. PCI DSS 4.0 defines a significant change as:
- New hardware, software, or networking equipment added to the CDE
- Any replacement or major upgrades of hardware and software in the CDE
- Any changes in the flow or storage of account data
- Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment
- Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring)
- Any changes to third party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity
Security Frameworks
Penetration testers should be familiar with a variety of security frameworks including:
- PTES
- Open Web Application Security Project (OWASP)
- Information Systems Security Assessment Framework (ISSAF)
- Open Source Security Testing Methodology Manual (OSSTMM)
Pentesting Authentication
Will the penetration tester have credentialed access to the network, systems, and web applications?
- Unathenticated
- Authenticated
Pentesting Approach
There are different approaches to a penetration test including:
- Black-box
- Grey-box
- White-box
Pentesting Focus
What will the focus of the penetration test be?
- External
- Internal
Areas That Should Receive Pentesting
The following areas at a minimum should receive routine pentesting:
- External Network, Internal Network, Web Application, Mobile Application, Physical, Wireless, Social Engineering, Cloud,
Should I Just Focus On A Good Defense Strategy?
Have you ever heard of the saying “The best defense is a good offense”? Looking at your organization’s security though an offensive perspective can improve its defenses and its overall secure posture. Running antivirus software, having firewalls, and hoping that your business is secure is not enough. You need to uncover and fix vulnerabilities before the cybercriminals exploit them.
Why You Need Independent Security Testing
Organizations benefit from independent security testing. Not every business has their own internal team of security professionals, and even those that do, could benefit from a fresh set of eyes.
Routine penetration tests can:
- Identify your vulnerabilities
- Determine the exploitability of vulnerabilities
- Measure the potential impact of vulnerabilities
- Assess organization risk
- Prioritize your remediation efforts
- Meet regulatory and compliance standards
- Explain security concerns to technical engineers and application developers
- Justify security-related initiatives to executive leadership
How Often Do I Need Security Testing?
There is no magic number that fits every organization. Routine pentesting should be performed to identify potential security vulnerabilities. Annual penetration tests are not enough. Monthly or quarterly penetration tests, along with weekly or monthly vulnerability scanning are much more effective at improving your overall security posture. Pentesting should also be performed after network changes, application updates, and when new systems are brought onto the network.
Best Pen Test Companies
Central InfoSec was rated the "best boutique pentesting company" and the "best pentesting firm" by two independent third-party organizations that review many contributing factors.
Automated Vulnerability Scanning vs Manual Pentesting
While vulnerability scanning may be included in the initial phase of vulnerability identification, manual analysis and manual testing is a must. Vulnerability scanners alone can often miss vulnerabilities, report false positives, or not give accurate risk ratings. Manual pentesting includes additional techniques to identify vulnerabilities along with human analysis to gauge the true severity, potential impact, and organizational risk.
Running a vulnerability scan and saying you may be vulnerable is completely different than actually exploiting vulnerabilities. If you hire a firm that relies on automatic vulnerabilities scanners, critical vulnerabilities could be missed. Central InfoSec team members have published custom tools to track manually found findings that scanners miss.
Should You Completely Avoid Automated Vulnerability Scanning?
Absolutely not! While automated security testing cannot replace manual pentesting, there are some benefits to automated scanning. Automated scanning offers advantages such as speed and wider coverage. However, pentesting cannot be completed with automated vulnerability scanning alone. Vulnerably scans often include a high rate of false positive findings which need manual validation. Automated scanning tools will not identify all vulnerabilities and cannot chain multiple vulnerabilities together to form complex attacks.
What Happens After the Pen Test?
After completing a penetration test, the pentesting team will share their findings with the company's security team.
Pentesting Reporting
Every penetration tester should be able to provide detailed documentation of their findings. Reports should include an attack narrative, detailed findings, risk ratings, and remediation details to prevent future attacks against the organization. Organizations should be able to leverage the pentesting report to make decisions, implement security controls, and remediate vulnerabilities.
Who Is Actually Performing Your Testing?
Ask questions about who is actually performing the testing. Stay clear of companies that can’t answer simple questions. Some questions you can ask include:
- Who will be performing the testing?
- How many years of experience does the tester have performing web application pentesting?
- Does the tester have relevant professional security certifications and credentials?
- Has the tester created professional web application testing tools and plugins?
- Is the tester a fulltime employee or a contractor?
- Is this the first security role or first pentesting role that the tester has ever been in?
Ensure the Security Professionals Have Relevant Certifications
Depending on the type of work being performed, security professionals should have relevant certifications. Central InfoSec team members have achieved professional certifications including:
- Certified Red Team Operator (CRTO)
- Offensive Security Certified Professional (OSCP)
- Offensive Security Wireless Professional (OSWP)
- GIAC Certified Penetration Tester (GPEN)
- GIAC Cloud Penetration Tester (GCPN)
- GIAC Mobile Device Security Analyst (GMOB)
- Amazon Web Services Security Specialty (AWS CSS)
- EC-Council Certified Ethical Hacker (C|EH)
- Practical Network Penetration Tester (PNPT)
Professional Security Services Offered by Central InfoSec
Central InfoSec offers a variety of professional security services including:
- Red Teaming
- Attack simulation to test, measure, and improve your detection and response
- Penetration Testing
- Real-world security tests using advanced hacking methods to identify your weaknesses
- Vulnerability Assessments
- Identification of potential vulnerabilities in your network and applications
- Application & API Testing
- Testing of security controls and products to identify your gaps and weaknesses
- Password Audit
- Detection of weak passwords to help you improve your password policies
- C2 & Pivot Testing
- Command and control (C2) communications, pivoting, and data exfiltration testing
- Purple Team Tabletop
- Targeted training exercises to measure people, processes, and technologies
- Security Training
- Fully customizable cyber security training and employee awareness support
Best Boutique Pentesting Company
Central InfoSec named Best Boutique Pentesting Company in the Global 100 Awards.