Frequently Asked Questions About Penetration Testing
At Siege Cyber we understand that a penetration test can be intimidating if it’s the first time you have needed the service and most organisations have a lot of questions. Below is a number of questions we regularly receive. If you still need answers, please send us any questions and we will be happy to answer them for you.
What is penetration testing?
A Penetration Test (also known as ethical hacking, or a pen test) is an authorised hacking attempt, targeting your organisation’s IT network infrastructure, applications and employees. The purpose of the test is to identify security risks by actively attempting to exploit weaknesses in a controlled manner. Undertaking penetration testing allows you to proactively strengthen your organisation’s security practices.
What’s the difference between a vulnerability assessment and a penetration test?
A vulnerability assessment is the process of identifying if an organisation’s systems/applications have potential known security vulnerabilities. It involves one or more automated vulnerability scans, followed by a prioritised list of the vulnerabilities found, the severity and generic remediation advice. Scanning software is limited to identify only vulnerabilities it has signatures for (such as out-of-date software updates, incomplete deployment of security software etc). It cannot take into consideration business logic or find vulnerabilities that are unknown. Scans include networks, web applications, source code and ASV for PCI DSS. A penetration test has much greater potential breadth of scope and depth than a vulnerability assessment. It should only be conducted by certified cybersecurity professionals who use their experience and technical abilities to mimic multiple types of attack used by a cybercriminal, targeting both known and unknown vulnerabilities. Unlike a vulnerability scan, where identified vulnerabilities are not exploited, in a penetration test, the tester will modify their approach to provide proof of vulnerability through exploitation, to gain access to the secure systems or stored sensitive information that a malicious attack could compromise.
What is the penetration testing process?
There is no standard answer for the time it takes to conduct a penetration test, as it is dependent on the objectives, approach and the size and complexity of the environment (attack surface) to be tested – the scope of the work to be undertaken. An app or small environment can be completed in a few days, but a large, complex environment can take weeks. A reputable penetration testing provider understands the time constraints that face organisations and will have a process to deliver your penetration testing project efficiently and cost effectively to provide maximum value.
How much does penetration testing cost?
There is no universal price for a penetration test, in fact, if you are presented with a generic price it should serve as a red flag not to proceed with that provider. A good quality provider will provide a free consultation, to understand your organisation’s aims and objectives and determine a high-level threat model (to understand the full scope of work) before they provide a quote.
Why does my company need to do penetration tests?
Penetration testing is a way of demonstrating reasonable efforts made to test the integrity of your business infrastructure and applications. It shows your company has put effort into protecting confidential and sensitive business data to regulators such as ASIC or AUSTRAC. With new legislation passing in Australia, businesses are required to demonstrate they have regularly checked their systems are compliant with the industry standards and that checks have been made to ensure there are no vulnerabilities which can be easily utilised by attackers.
How Often Do You Need Penetration Testing For ISO 27001
Testing needs to be conducted annually in order to comply with the ISO 27001 standards. At Siege Cyber we recommend a full external and internal penetration test every 12 months to comply with the ISO 27001 standards, and interim external vulnerability scans every quarter, or after major changes to the network infrastructure.
How often should you conduct penetration testing?
Including regular penetration testing in your ongoing cybersecurity and information security management program is the best approach. After all, the cybersecurity landscape is ever evolving. Compliance requirements mandate regular penetration testing – for example PCI DSS compliance requires penetration testing at least annually, or during infrastructure and application modifications and upgrades that constitute a significant change to the environment. Often, organisations aim to meet only the minimum requirements to achieve compliance – and believe themselves to be secure. This is a dangerous mindset. The best practice approach is to work with your provider to conduct an organisation-wide risk assessment to determine your organisation’s level of risk. You can then develop a cybersecurity program that employs an agile approach, using the tools at your IT department’s disposal and your provider’s (such as vulnerability assessments and penetration testing) to measure and evolve the security of your networks, applications and employees to maintain a strong defence against cyber attack.
How do you select a penetration testing provider?
With a vast number of providers to choose from, it is essential to do your research to ensure that your chosen penetration testing provider is proven, reliable and professional beyond reproach. You will rely on them to interrogate your business systems and use complex tools to fully test your IT network. If the provider lacks knowledge and experience in applying their tools to diverse IT environments, you may waste your money and fail to see results. Worse, your IT environment could be damaged, changed or taken down if penetration testing tools are not appropriately configured for your specific environment.
How do we prepare for a penetration test?
In general, there is no need for anything special to prepare for a penetration test with respect to how security controls are managed on a day-to-day basis. Remember that a penetration test is a point in time review of the environment. The test is going to assess the security posture at that particular point in time. If patches are deployed every Wednesday, for example, there is no need to change this behavior to accommodate the penetration test itself. If the results of the network penetration test determine this process requires attention, then that would be the appropriate time to adjust.
How much time is needed to perform a typical penetration test?
Adequate time should be reserved in advance of a penetration test for planning activities. Additional time should be allocated after testing for report development and subsequent review meetings including remediation discussions. The entire effort varies greatly based on the size and complexity of the network penetration test. The larger or more complex the environment is, the more effort is required. The duration of the test, however, is very controllable. The duration of the test should be compressed to ensure a good, representative view of the environment at a given point in time. Generally speaking, three weeks is a good estimate for the duration of the entire engagement from planning through final delivery. The actual test itself typically varies from one to five days depending on the size of the environment.
What should we expect from the penetration testing process?
Penetration testing is an extremely disciplined process. A penetration testing company should keep all stakeholders well-informed through every key stage of the process. As a company seeking network penetration testing services, you should expect the following (at a minimum): A well-coordinated, planned, documented and communicated approach to know what is happening and when. A disciplined, repeatable approach should be followed. The approach should be customized to suit the unique environment of the business. A clearly defined initiation process, planning process, coordinated testing and a collaborative delivery process should be provided to ensure accurate results and a clear understanding of remediation.
Do you supply software, hardware or remediation services?
No, at Siege Cyber we only focus on what we are good at and that’s security services such as penetration testing, vulnerability assessments and user awareness training. We have worked with many IT service providers and can recommend a provider that we feel would best suit your needs.
My business uses cloud applications. Why is a penetration test still required?
All business applications, even when used in the cloud, are subject to vulnerabilities and exploits. It is only a matter a time before commonly used applications are compromised and then subsequently patched. We need to check that the patch management process is keeping up with the latest developments, and that they are being patched against exploits. The cloud will only act as a host and cannot guarantee the integrity of any application it hosts.
Have More Questions? Let Us Know?
Let’s talk about how Siege Cyber can help protect your company network from attackers and ransomware. Send us an e-mail, or fill out the contact form below to get started.