In this three-part series, we’ll take a look at how to choose the best penetration testing company and type of test for your needs. With the cybersecurity landscape and compliance requirements constantly evolving, choosing a firm that not only understands the latest threats but also aligns with your specific organization’s needs is critical.
In this first post in the series, we’ll look at what penetration testing is, types of pentests, and also the services that masquerade as pentests without providing the deep-dive of a genuine manual test.
What is a Penetration Test?
Think of your organization’s cybersecurity as a high-stakes game of hide and seek. You’ve hidden all your digital treasures, but you’re not sure if they’re truly out of sight. Enter the penetration test, where ethical hackers play the role of the seekers. They don’t just look for the obvious hiding spots; they’ll rummage through every nook and cranny, trying to find your secrets. They’ll attempt to bypass your security measures, exploit any weaknesses, and even chain together vulnerabilities to gain access.
It’s like a real-world simulation of what a determined attacker might do. The goal? To uncover not just if there are vulnerabilities, but also how they can be exploited, how deep an attacker could go, and what damage they could potentially cause. A pentest gives you a detailed report card on your security, highlighting not just the weak spots but also providing actionable insights on how to fortify your defenses.
Why is a Vulnerability Assessment Not a Penetration Test?
Imagine you’re hosting a dinner party, and you’ve just realized you might have left the back door unlocked. A vulnerability scan is like quickly checking all the doors and windows to see if they’re locked, using a handy checklist of common security issues. It’s automated, efficient, and gives you a broad overview of potential entry points for unwanted guests.
A penetration test is like hiring a master thief (ethically, of course!) to actually try and break into your house. The hands-on approach of a penetration test goes beyond just identifying vulnerabilities – it actively tries to exploit them to see how far an attacker could get.
So, while a vulnerability scan might tell you there’s a weak spot, a pentest shows you the real-world impact of that weakness, giving you a much clearer picture of your security posture.
What Penetration Tests Does My Organization Need?
The fast answer is that it depends on your organization type, maturity, and needs, but let’s get into the weeds on the types of penetration tests to help you choose what you need now and what you want to have in your future budget.
Network Penetration Tests
External Network Penetration Tests cover many basic compliance needs and are often the best place to start for organizations that have never performed a pentest before. Your pentester will look at your internet-facing components just as a malicious hacker would and try to break in. This often means your organization’s website (without logging in unless it’s possible to hack into it), any file transfer systems you have, and possibly components that were accidentally left open externally (such as remote desktop apps and admin interfaces for security cameras). This is a great test to see what hackers could be doing right now.
Internal Network Penetration Tests, including Cloud and VPC networks, are often needed for compliance, such as PCI, which requires segmentation testing as well (an easy add-on for an internal test). Adding an internal network test to compliment an annual external network test gives you a much clearer view of your organization’s security posture. Your pentester will play the role of a malicious employee or someone who gained access to your internal network (maybe a vendor for HVAC repair or pest control). We often encourage organizations interested in physical social engineering assessments to group those with their internal network test to clearly see how easily a malicious person could gain access and then exploit it. On these tests your pentester has access to many more systems, and our Raxis testers gain admin access on these tests over 85% of the time, allowing organizations to discover and correct gaps in their security.
Wireless Network Penetration Tests allow you to ensure that your internal network is secured from the wireless side as well. Your pentester will check that your wireless security controls are current and cannot be bypassed and that your guest wireless network is segmented properly not to allow access to your internal networks. Next up is creating rogue wireless networks to attempt to gain wireless credentials from systems that think they are connecting to the real thing. Are your systems equipped to discover that and shut it down? While Raxis performs many remote wireless tests, onsite wireless tests may also include wireless network mapping and searching for rogue networks already in place.
Application Penetration Tests
Web Application Penetration Tests delve deeply into your application, whether it’s an external SaaS product that you sell to customers, an internal application you developed for your employees’ use, or simply an external-facing web app you use to interact with customers and the people interested in your product or message. Your pentester examines your app as an unauthenticated user and as users with varying roles (we usually recommend a standard role and an admin role). They attempt to gain access that should not be available to each user in numerous ways, from authentication bypass and session management exploits to injection attacks and examine your application for gaps and configuration issues that could lead to exploitable issues.
Mobile Application Penetration Tests look at many of the same issues seen on web application tests but are specialized for your mobile apps. From jailbreak and root detection to certificate pinning, your pentester will examine your mobile app for exploitable vulnerabilities allowing you to close the gaps before they affect your users.
API Penetration Tests dive into the code that connects your applications, whether internally for your applications or externally for your users to connect to your data from their systems. While many of the vulnerabilities match those your pentester searches within applications themselves, these tests explore the API itself and flaws that may be present in specific endpoints or within the configuration itself.
Specialized Penetration Tests
Some companies, such as Raxis, also provide Specialized Penetration Tests such as IoT, Operational Technology (OT) including SCADA, and other device testing. These security tests are crucial for industries such as energy, transportation, water, and telecommunications. With the knowledge that these systems are crucial and sometimes fragile, your pentester works with you to carefully test these systems for security gaps while keeping in touch with your team to avoid risky tests that could cause issues.
Check Out the Next Posts in the Series
Thanks for taking the time to take a look at what a penetration test is and the types of tests available. I hope you’ll check back for the next post in this series, where Brad Herring will take a look at comparing different penetration companies.
