It is amazing how many different ways we see a penetration test being titled. It really does not matter is you can it a pen test, a pentest, a PEN test or a penetration test. They all mean the same thing and really they are all penetration testing.
A Penetration test should be performed for a variety of reasons. Some of the more common reasons why companies perform a penetration test include:
1. Most relevant regulatory standards require a penetration test to be performed.
2. A penetration test can identify vulnerabilities inadvertently introduced during changes to the environment, such as a major upgrade or system reconfiguration.
3. The penetration test can be integrated into the QA process of the Software Development Life Cycle to prevent security bugs from entering into production systems.
4. Organisations, especially those acting as data custodians, are being required to have testing performed by their customers, and by law. A penetration test can demonstrate a commitment to security from a customer perspective and provide attestation that their assets or services are being managed securely.
5. Penetration Testing is required as part of GDPR.
6. A penetration test is a common requirement for internal due diligence as part of ongoing efforts to manage threats, vulnerabilities, and risks to an organisation. Results can be used as input into an on-going Risk Management process.
7. Penetration testing allows companies to assess the security controls of potential acquisition targets. Most organisations preparing to acquire an organisation seek insights into the vulnerabilities they may introduce in doing so and plan for the costs they may be incurring to remediate.
8. Penetration testing should be conducted to support your annual data protection audit.
9. To support a breach investigation, penetration testing may tell an organisation where the other vulnerabilities may exist in order to have a comprehensive response to the incident.
10. A regular penetration test allows companies to proactively assess for emerging or newly discovered vulnerabilities that were not known or have not yet been widely published.
11. Penetration testing serves as an aid to development teams who are writing new web applications. Many development lifecycles include penetration testing at key stages of the process. Correcting flaws are typically less costly the earlier in the development lifecycle that they are discovered. Additional testing prior to go-live on a production-ready build can identify any remaining issues that might require attention before loading users on the application.
Penetration testing duration and costs can vary significantly depending on multiple variables.
Scoping details such as network IP addresses, complexity (and number) of applications, and employees for social engineering are key factors to determining project size. Accounting for these variables, our team works diligently to match the scope details with the security needs of your organisation.
With that said, there are trends and ranges for projects we tend to see. Penetration testing generally start around the £8,000 range, but can grow into six figures for large, in-depth projects.
We also offer discounts for multiple-year contracts, ensuring your organisation both has a consistent pentesting partner and can stretch security budgets further.
Similar to the above question on pricing, the length of penetration tests depend on multiple variables. Penetration testing is a hands-on assessment not suited for short, quick sprints. At Hedgehog we tend to see projects starting at about one week, but most projects go multiple weeks or even months. Some tests can take much longer than others, depending on the number of vulnerabilities identified and whether or not those vulnerabilities are exploitable.
Both penetration tests and automated vulnerability scans are useful tools for identify and locating vulnerabilities and then enabling the successful management of those vulnerabilities. While these are penetration testing and vulnerability scanning are different, it is impossible to perform a penetration test without performing any form of vulnerability scanning. They are also complementary and while a penetration test should be performed at least yearly, it not every 6 months, a vulnerability scan should be performed monthly.
A vulnerability scan is an automated, low-cost method for testing common network and server vulnerabilities. This is sometimes referred to as an automated pen test. Many automated tools are available and most are easily configured by the end user to scan for published vulnerabilities on a scheduled basis. While an automated vulnerability scan is very efficient and cost-effective in identifying common vulnerabilities such as missing patches, service misconfigurations, and other known weaknesses, they are not as accurate in validating the accuracy of vulnerabilities nor do they fully determine the impact through exploitation. Automated scanners are more prone to reporting false positives (incorrectly reporting weaknesses) and false negatives (failing to identify vulnerabilities, especially those impacting web applications). Automated Vulnerability Scanning is mandated by the Payment Card Industry Data Security Standard (PCI DSS) as noted in requirement 11.2.
A penetration test focuses on the environment as a whole. In many ways, it picks up where the scanners leave off to provide a comprehensive analysis of the overall security posture. While scripts and tools are leveraged by a penetration tester, their use is largely limited to reconnaissance activities. The bulk of a penetration test is manual by nature. A penetration test identifies vulnerabilities scanners cannot, such as wireless flaws, web application vulnerabilities, and vulnerabilities not yet published. Further, pen testing includes attempts to safely exploit vulnerabilities, escalate privileges, and ultimately demonstrate how an attacker could gain access to sensitive information assets. Penetration testing frequently applies “test scenarios” specific to an organisation as well. For example, a university may grant access to student workers, a hospital may leverage third party service providers, or a consultancy may have unique access rights for their engineers. Each of these scenarios would require different positioning of the penetration tester within the environment and requires adjustments to the methodology. Penetration testing is also mandated by the PCI DSS as noted in requirement 11.3.
Penetration testing and automated vulnerability scans both serve a purpose and both types of testing belong in a comprehensive vulnerability assessment program. Automated vulnerability scanning should be scheduled to run on a frequent basis, ideally at least weekly, with network penetration tests scheduled quarterly or when significant changes are planned to an environment.
If the pen test is not properly planned and coordinated, it can be disruptive. This is why it is imperative that the planning is done properly, and comprehensively, to identify potential risks for disruption and adjust the approach accordingly. This planning should be conducted well in advance of any testing start date in order to ensure adequate time for communication to project stakeholders. The communication and monitoring should continue throughout the pen testing schedule.
We understand that clients often have hard deadlines that they’re trying to meet.
Whether you’re trying to meet client requirements which rely on Pentest results or have an annual requirement, we do best to accommodate your timelines. Unfortunately, manual penetration testing takes some planning & preparation for our assessment team and our schedule can be filled as much as 2-6 weeks out.
With that said, if you have an urgent project feel free to contact us about timelines. Depending on needs and timelines, we may have the ability to pull resources off of a research project & get started immediately.
A question not enough people ask is how much of the testing is automated vs. manual. While automated tools are a brief step early in our process, a large majority of our testing is manual. The amount of manual work varies project-to-project, but around 95% of the Pentest is hands-on.
This isn’t to say automated vulnerability scanners don’t have a place; Vulnerability scans are quick and simple tools that should be used on a regular basis to identify missing patches or outdated software in larger unknown environments.
Early in the process we try to familiarise ourselves with your company & the scope of work so that we’re able to create an accurate proposal. We intentionally gather this information so that we never come back requesting for more testing time (and additional costs.) The more information you’re willing to share, the better assessment we can provide.
With that said, some clients may be seeking a blackbox approach where little information is provided, simulating a real world attack and response. In this case scenario, we still need to grasp the size/complexity needed for testing and therefore have some basic questions to scope.
A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple Pentesting compliance standards including PCI, HIPAA, SOC2, and others. That said, each compliance standard is different and should be discussed before moving forward. Contact us for more details.
On an average day around 4 hours is all you will be waiting. It can be longer at peak holiday periods and towards the end of the financial year as the team are busier than normal then.
The scheme sets out five basic security controls to protect organisations against around 80% of common cyber attacks, allowing you to focus on your core business objectives.
Benefits of the Cyber Essentials scheme include reassuring customers that you take cyber security seriously as well as attracting new business with the assurance that you have cyber security measures in place.
Cyber Essentials is designed to help organisations of any size demonstrate their commitment to cyber security – all while keeping the approach simple and the costs low.
If you supply – or want to supply – larger organisations that manage their third-party risks properly, the independent verification of your security posture provided by certification offers assurance that you will not endanger the supply chain. If you want to apply for government contracts, you will need Cyber Essentials certification.
The Ministry of Defence mandates Cyber Essentials for all its new suppliers and their relevant supply chains. Cyber Essentials certification now includes cyber liability insurance for any UK organisation that certifies the whole organisation and has less than £20 million annual turnover (terms apply).
Organisations complete the IASME self-assessment questionnaire (SAQ). This must be verified and signed off by a member of the board or an equivalent signatory. It is then independently verified by a certification body trained and licensed to certify against the government’s Cyber Essentials scheme.
Cyber Essentials Plus provides a more advanced level of assurance and includes a technical audit of the systems that are in scope for Cyber Essentials. Organisations applying for Cyber Essentials Plus must also pass an on-site assessment and an internal vulnerability scan (these can be performed remotely in certain instances), plus an external vulnerability scan conducted by the certification body.
Only certification bodies that have been trained and are currently licensed by IASME to certify against the government’s Cyber Essentials scheme can undertake assessments and issue certificates. Hedgehog Security's assessors are IASME trained and Hedgehog Security is licensed to deliver Cyber Essentials and Cyber Essentials Plus certifications.
The following describes the Cyber Essentials certification process using the Hedgehog Security branded Cyber Essentials portal by Pervade.
1. Purchase one of our Cyber Essentials certification packages.
2. You will be required to provide the email address and mobile phone number for the person responsible for completing and submitting the SAQ.
3. Receive an email and SMS message with details needed to log in to the portal.
4. Complete the scope and SAQ.
5. Contact us before your first submission to undertake a pre-check of your responses to the SAQ to determine whether you are likely to pass on that basis.
6. Confirm all answers provided in the assessment have been approved at board level or equivalent. Signed confirmation will be required.
7. The assessment is marked by one of our Cyber Essentials assessors, who will provide feedback with the result.
If the result is a ‘pass’:
A Cyber Essentials certificate will be issued for you to download from the portal along with a copy of your assessment.
IASME will contact you to provide your branding pack and insurance details (as applicable).
The Cyber Essentials certification process is complete.
If the result is a ‘fail’:
Review the feedback provided by your assessor. If you have purchased a Cyber Essentials package that includes consultancy support and you have support time remaining, one of our cyber security experts can help you understand how to address any non-compliant areas.
You have two working days to resubmit. If you do not resubmit your application within this time, our certification guarantee is invalidated.
You have six months from purchase to complete your application, after which it will be archived automatically by IASME and you will need to purchase a new package to continue.
For Cyber Essentials Plus, there are additional steps for the internal assessment, including internal and external vulnerability scans. You will need to complete these steps within three months of achieving your last ‘basic level’ Cyber Essentials certification from an IASME-licensed certification body.
The scans are conducted to a common standard, as mandated by IASME for Cyber Essentials Plus certification. Including the scans as part of the certification process means the application process is more efficient and cost-effective. For this reason, only IASME-licensed certification bodies can conduct vulnerability scans as part of the Cyber Essentials Plus certification work.
Ask us a question, any question at all. As long as it has to do with Information Security / Cyber Security, we will get back to you with an answer.