Frequently Asked Questions About Penetration Testing
At Siege Cyber, we understand that a penetration test can be intimidating if it’s the first time you have needed the service, and most organisations have many questions. Below are several questions we regularly receive. If you still need answers, please send us any questions, and we will be happy to answer them for you.
What is penetration testing?
A Penetration Test (also known as ethical hacking or a pen test) is an authorised hacking attempt targeting your organisation’s IT network infrastructure, applications and employees. The test aims to identify security risks by actively attempting to exploit weaknesses in a controlled manner. Undertaking penetration testing allows you.
What’s the difference between a vulnerability assessment and a penetration test?
A vulnerability assessment identifies if an organisation’s systems/applications have potential known security vulnerabilities. It involves one or more automated vulnerability scans, followed by a prioritised list of the vulnerabilities found, the severity and generic remediation advice. Scanning software is limited to identifying only vulnerabilities it has signatures for (such as out-of-date software updates, incomplete deployment of security software etc.). It cannot consider business logic or find unknown vulnerabilities. Scans include networks, web applications, source code and ASV for PCI DSS. A penetration test has a much greater potential breadth of scope and depth than a vulnerability assessment. It should only be conducted by certified cybersecurity professionals who use their experience and technical abilities to mimic multiple types of attacks used by a cybercriminal, targeting both known and unknown vulnerabilities. Unlike a vulnerability scan, where identified vulnerabilities are not exploited, in a penetration test, the tester will modify their approach to provide proof of exposure through exploitation to gain access to the security systems or stored sensitive information that a malicious attack could compromise.
What is the penetration testing process?
There is no standard answer for the time it takes to conduct a penetration test and the size and complexity of the environment (attack surface) to be tested – the scope of the work to be undertaken. An app or small environment can be completed in a few days, but a large, complex environment can take weeks. A reputable penetration testing provider understands the time constraints that face organisations and will have a process to deliver your penetration testing project efficiently and cost-effectively to provide maximum value.
How much does penetration testing cost?
There is no universal price for a penetration test; if you are presented with a generic price, it should serve as a red flag not to proceed with that provider. A good quality provider will provide a free consultation to understand your organisation’s aims and objectives and determine a high-level threat model (to understand the full scope of work) before giving a quote.
Why does my company need to do penetration tests?
Penetration testing demonstrates reasonable efforts made to test the integrity of your business infrastructure and applications. It shows your company has protected confidential and sensitive business data from regulators such as ASIC or AUSTRAC. With new legislation passing in Australia, businesses must demonstrate they have regularly checked their systems are compliant with the industry standards. That checks have been made to ensure no vulnerabilities that attackers can efficiently utilise.
How Often Do You Need Penetration Testing For ISO 27001
Testing needs to be conducted annually to comply with the ISO 27001 standards. At Siege Cyber, we recommend a complete external and internal penetration test every 12 months to comply with the ISO 27001 standards and interim external vulnerability scans every quarter or after significant changes to the network infrastructure.
How often should you conduct penetration testing?
Including regular penetration testing in your ongoing cybersecurity and information security management program is the best approach. After all, the cybersecurity landscape is ever-evolving. Compliance requirements mandate regular penetration testing – for example, PCI DSS compliance requires penetration testing at least annually or during infrastructure and application modifications and upgrades that constitute a significant change to the environment. Often, organisations aim to meet only the minimum requirements to achieve compliance – and believe themselves to be secure. This is a dangerous mindset. The best practice approach is to work with your provider to conduct an organisation-wide risk assessment to determine your organisation’s level of risk. You can then develop a cybersecurity program that employs an agile approach, using the tools at your IT department’s disposal and your provider’s (such as vulnerability assessments and penetration testing) to measure and evolve the security of your networks, applications and employees to maintain a strong defence against cyber attack.
How do you select a penetration testing provider?
With many providers to choose from, it is essential to do your research to ensure that your chosen penetration testing provider is proven, reliable and professional beyond reproach. You will rely on them to interrogate your business systems and use complex tools to test your IT network thoroughly. If the provider lacks knowledge and experience applying their tools to diverse IT environments, you may waste your money and fail to see results. Your IT environment could be damaged, changed or taken down if penetration testing tools are not appropriately configured for your specific environment.
How do we prepare for a penetration test?
There is no need for anything special to prepare for a penetration test concerning how security controls are managed daily. Remember that a penetration test is a point in time review of the environment. The test will assess the security posture at that particular point in time. For example, if patches are deployed every Wednesday, there is no need to change this behaviour to accommodate the penetration test. If the network penetration test results determine this process requires attention, then that would be the appropriate time to adjust.
How much time is needed to perform a typical penetration test?
Adequate time should be reserved for planning activities in advance of a penetration test. Additional time should be allocated after testing for report development and subsequent review meetings, including remediation discussions. The entire effort varies considerably based on the size and complexity of the network penetration test. The larger or more complex the environment is, the more action is required. The duration of the trial, however, is very controllable. The test duration should be compressed to ensure a good, representative view of the environment at a given point in time. Generally speaking, three weeks is a reasonable estimate for the duration of the entire engagement from planning through final delivery. The actual test itself typically varies from one to five days, depending on the size of the environment.
What should we expect from the penetration testing process?
Penetration testing is a highly disciplined process. A penetration testing company should keep all stakeholders well informed through every critical stage of the process. As a company seeking network penetration testing services, you should expect the following (at a minimum): A well-coordinated, planned, documented and communicated approach to knowing what is happening and when. A disciplined, repeatable approach should be followed. The approach should be customised to suit the unique environment of the business. A clearly defined initiation process, planning process, coordinated testing and a collaborative delivery process should be provided to ensure accurate results and a clear understanding of remediation.
Do you supply software, hardware or remediation services?
No. We work with many IT service providers and can recommend a provider that we feel would best suit your needs.
Have More Questions? Let Us Know?
Let’s talk about how Siege Cyber can help protect your company network from attackers and ransomware. Send us an e-mail to get started.