Penetration Testing
CREST Approved Penetration Testing: identify your Cyber Security weaknesses
CREST Approved Penetration Testing: our testing service is approved and regulated by CREST, the Council for Ethical Security Testers, in the UK and is fully aligned with the CREST Defensible Penetration Test standard. We offer a full-scope, multi-layered attack simulation orchestrated from the perspective of a malicious threat actor. We design our penetration tests to measure how prepared your organisation is to withstand an attack from adversaries. Our end goal is to uncover risks and vulnerabilities.
What is Penetration Testing?
Penetration Testing, Pentesting or Pentest, have all been defined by the UK’s NCSC (National Cyber Security Center) as “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” CREST Approved pen testing is where a testing firm such as ourselves has completed a rigorous quality and technical assessment to ensure that we meet the standards set down by CREST, the UK regulator for pen testing in a manner that is called Defensible Penetration Testing. We remain one of the few independent CREST accredited penetration testing companies in the UK and Europe.
Pentesting is similar to a financial audit
Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient. A well-structured and scoped pentest needs to be more than a simple point-in-time test.
Penetration Testing evolved
Our pentesting offering has evolved to a service-led offering, enabling regular repeated testing quickly and easily. There are seven stages of testing that forms the backbone of our comprehensive penetration testing methodology. You can read more about our seven steps of a pentest here, and to find out what to expect from your penetration test here.
In a perfect world, a pentest will highlight known issues. It will also find subtle problems that, when chained together, evolve into significant risks.
CREST Defensible Penetration Test
All of our Penetration Testing engagements are aligned and comply with the CREST Defensible Penetration Test standard. We put Cyber Security First in all things we do and we have published our penetration testing methodology here on our site.
Why CREST Approved Pen Testing?
It is actually very logical. With a CREST approved firm, you know that they are ISO27001, ISO9001 and Cyber Essentials Plus certified. You know that they hold all the required insurance to perform high risk work. And you know that their staff meet a technical training and experience level that ensures every pentest is completed to a high standard.
CREST accredited penetration test uk does take long, and it does cost more, but you are guaranteed a professional and thorough test.
What makes up a CREST Defensible Penetration Test?
Scoping
We start by working with clients to define a very detailed scope. The scoping phase is essential for ensuring that the penetration test aligns with the assurance goals and objectives. This is achieved by working a detailed as possible scope. Sometimes this can be as high level as “do a web application penetration test against x” or it could be as detailed as going into specifics on what should be tested. The outcome though is a very detailed work sheet for the testers to work through as per our pentesting methodology. At the end of the day, the scoping will always be performed by one of our senior test team or our CISO, all of whom have signed the CREST Code of Conduct. This is why our CREST Defensible Penetration Test is not cheap penetration testing. A CREST Defensible penetration test is vastly more in depth and complicated, using specific highly qualified individuals.
Delivery and Execution
The delivery phase is carried out inline with CREST Accredited methodology. All of the testers involved in your penetration test will be at least OSCP or CRT qualified and will have specialisms in particular sub-cultures of penetration testing. For example, if Wireless, OT or IoT is involved, you can be certain that Peter Bassill will be the one carry out the testing. Regardless, all of the test team have signed the CREST Code of Conduct.
Penetration Test Signoff
The sign off phase is conducted by Peter and Leticia. Both are CISSP qualified and work on the virtual CISO side of the business managing security teams and multiple test cycles for clients. It is their job to ensure that the test has completed everything listed in the scope and more, and that the testers have deep dived into any areas of interest.
Depending on the size of the test, signoff can take between one and three days. There is test evidence to review and screen casts to watch. One the test report is signed off, it is published as a PDF report on our testing portal and a remediation workbook is created as an Excel workbook.
Our Penetration Testing Services
Standard Penetration Testing
A standard pentest can be a one-off, whether it is a single web application or external infrastructure all the way to complex internal infrastructure testing for PCI-DSS annual compliance. Or it can be part of a series of pentests. We offer total flexibility to meet your testing needs and far beyond what you would traditionally receive in a penetration test. Our client portal provides additional services that enhance your CREST accredited penetration testing engagement to give that next generation of security testing coverage. But if you still need that single point in time, our standard penetration test, then we can still help.
A team leader leads each penetration test from in the uk. Our team leaders ensure your testers’ narrative helps you understand how we got the results. The tester uploads the description to the test portal, where customers can interact with the findings rather than reading from an extensive static report. You can also export the results as CSV files, integrate the portal into Jira and download PDF reports.
We can test multiple assets, from your people and internal business processes to web and mobile applications, brochure sites, industrial control systems, internal and external infrastructure, cloud services, and more.
Pentesting as a Service
Pentesting-as-a-Service takes our testing service to a new level. With our pentesting as a service offering, we use service tokens to allow clients to create their testing projects and mini engagements. Each token is the equivalent of a half-day test time and can be used for anything from monthly or weekly vulnerability management to red-team testing. You purchase several tokens and then use them in the test portal as you need them.
Pentesting as a Service Cost
With the service based around tokens, the service’s pricing is relatively simple. You start with 20 tokens at £9,500. Further tokens are then purchased at £400 per token. If you are looking for cheap penetration testing, then purchasing the pentest tokens is by far the lowest cost way forward.
How does it work?
Once you have purchased tokens, your assigned test team leader will be in touch. They will be set you up on our test portal and arrange a short 30 minute training session for you so you know where everything. From there you can request testing projects directly with your assigned test team.
Talk To A Security Specialist
Book a free consultation with a security specialist to discuss your current concerns or security requirements.
Common Types of Penetration Test
Standards of Training for Pentesters
The standards of training, and experience, for pentesters are Hedgehog is high. All of our qualified penetration testers must hold the OSCP (Offensive Security Certified Professional) qualification and be at least a CREST Registered Tester.
For testers engaged in CREST approved pen testing, they will hold the CREST CPSA and CRT qualifications and will have a relevant specialism. That specialism may be in infrastructure testing, web application testing or in industrial control systems. Only these testers are every authorised to deliver CREST accredited penetration testing for clients.
Our Testers Know their Vulnerability Classes
What Is the Difference Between Vulnerability Scans and Pen Tests?
Vulnerability scanners are automated tools. Scanners examine an environment and, upon completion, create a report of uncovered vulnerabilities. These scanners often list these vulnerabilities using CVE identifiers that provide information on known weaknesses. They commonly score vulnerabilities out of 10 using the CVSS scoring system. With the CVSS system, the lower the score, the less risk.
Scanners can uncover thousands of vulnerabilities, so there may be enough severe vulnerabilities that further prioritization is needed. Additionally, these scores do not account for the circumstances of each IT environment. Penetration testing does.
While vulnerability scans provide a valuable picture of potential security weaknesses, penetration tests can add additional context by testing if vulnerabilities can access your environment. Pentests can also help prioritize remediation plans based on what poses the most risk.
Why is Pen Testing Important?
Pen testing evaluates an organization’s ability to protect its networks, applications, endpoints and users from external or internal attempts to circumvent its security controls and gain unauthorized or privileged access to protected assets.
Pen tests provide detailed information on actual, exploitable security threats. By performing a penetration test, you can proactively identify which vulnerabilities are most critical, which are less significant, and which are false positives. This allows organization to more intelligently prioritize remediation.
These days, there’s no one solution to prevent a breach. Organizations must now have a portfolio of defensive security mechanisms and tools. Even with these vital security tools, it’s difficult to find and eliminate every vulnerability in an IT environment. Pen testing takes a proactive approach, uncovering weaknesses so that organizations know what remediation is needed.
Without the proper visibility into your environment as a whole, changing your security posture may result in you eliminating something that was not actually problematic. Pen tests don’t only tell you what isn’t working. They also serve as quality assurance checks, so you’ll also find out what policies are most effective, and what tools are providing the highest ROI. With these insights an organization can also intelligently allocate security resources, ensuring that they are available when and where they are needed most.
How can you be confident in your security posture if you do not effectively test it? By regularly putting your security infrastructure and your security team through their paces, you won’t have to wonder hypothetically what an attack will look like and how you’ll respond. You’ll have safely experienced one, and will know how to prepare to ensure your organization is never caught off guard.
Penetration testing helps organizations address the general auditing and compliance aspects of regulations and industry best practices. By exploiting an organization’s infrastructure, pen testing can demonstrate exactly how an attacker could gain access to sensitive data. As attack strategies grow and evolve, periodic mandated testing makes certain that organizations can stay one step ahead by uncovering and fixing security weaknesses before they can be exploited.
Additionally, for auditors, these tests can also verify that other mandated security measures are in place or working properly. The detailed reports that pen tests generate can help organizations illustrate ongoing due diligence to maintaining required security controls.
Frequently Asked Questions (FAQ)
A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple pentesting compliance standards including PCI, HIPAA, SOC2, and others. That said, each compliance standard is different. For example CREST Approve pen testing requires specific tester qualifications. These requirements should be discussed before moving forward. Contact us for more details.
If the pentest is not properly planned and coordinated, it can be disruptive. This is why it is imperative that the planning is done properly, and comprehensively, to identify potential risks for disruption and adjust the approach accordingly. This planning should be conducted well in advance of any testing start date of any pentest in order to ensure adequate time for communication to project stakeholders. The communication and monitoring should continue throughout the pen testing schedule.
Maybe – Is anyone testing the third party already? The first thing to do is to find out if the third party service provider is already having a reputable network penetration test provider review the website. If so, due diligence is needed to validate the scope is appropriate, review the methodology, and understand if any key findings were observed. An organization should confirm when it was last tested, when it will next be tested, and if there are any security vulnerabilities that were determined to be tolerable by the hosting provider.
If the third party is not testing the site, or if the testing being performed is not adequate, then yes, the site needs to be tested. Obtain the third party’s permission, as they should be involved in planning, to ensure that the site is tested safely and coordinated appropriately. If the third party won’t allow testing, one should strongly consider obtaining a “right to audit” clause in their contract or locate another hosting provider that accommodates the need for ongoing vulnerability management, including network and web penetration testing.
Validating that vulnerabilities have been remediated can be performed using a variety of methods, either in-house or through external independent verification testing. Some organizations prefer to track remediation in-house and possess the resources to independently validate successful remediation, however most seek independent validation and should have a remediation verification test performed. This is why it is critical that a penetration test and a vulnerability assessment be performed in a repeatable manner. Of equal importance is that the individual validating remediation is not the same individual that performed the remediation. Checking one’s own work is not as reliable as having an independent individual check that person’s work.
CREST accredited penetration testing (also referred to as pentesting, pen testing and the often confusing PEN testing. (No, we do not know why people capitalise the shortening of Penetration either)) is a type of ethical or white hat hacking engagement designed to identify and address security vulnerabilities in your people, processes and technology. Most often a penetration test is focused on an element of your technology, such as networks, systems and applications. Pen testing takes different forms and can cover many areas. However, not all penetration testing companies work to the same standards, so there can be an inherent risk in allowing a provider to access important assets and data.
A CREST penetration test is an assessment conducted by a CREST-accredited provider. CREST accreditation demonstrates that a company conducts and documents penetration testing in accordance with the highest legal, ethical and technical standards.
In order to perform CREST accredited testing, a testing company must have in place the following:
- ISO9001 certification
- ISO27001 certification
- Cyber Essentials certification
- Cyber Essentials Plus certification
- Professional Liability insurance
- Public Liability insurance
- Crest Registered Testers on staff
- A fully documented complaints process
This all takes time and investment which is why you will find that CREST accredited penetration testing costs more than run-of-the-mill, off-the-shelf penetration testing that can be purchased from the unregulated testing market.
You should evaluate all of the vulnerabilities using a risk-based model first. Each vulnerability should be evaluated for business impact and probability of being exploited to ultimately assign a risk rating. Companies should have risk criteria defined in order to determine thresholds for remediation. Vulnerabilities above the threshold should be remediated or appropriately compensated for in order to bring them within tolerable risk levels. A vulnerability that is within an acceptable threshold may not require remediation and instead may simply be monitored over time in case the risk level changes. The penetration test or vulnerability scan deliverables should contribute to this process. In certain compliance situations, specific vulnerabilities may be viewed as compliance gaps; and those gaps typically are either remediated or compensating controls are put in place when remediation is not possible.
A penetration test, also known as a “pen test” is a method for evaluating the effectiveness of an organization’s security controls. Testing is performed under controlled conditions, simulating scenarios representative of what a real attacker would attempt. When gaps are identified in a security control, a penetration test goes beyond basic vulnerability scanning to determine how an attacker would escalate access to sensitive information assets, confidential information, personally identifiable information (PII), financial data, intellectual property or any other sensitive information. Penetration testing utilises pen test tools and techniques, guided by a disciplined and repeatable methodology, resulting in a report containing detailed findings and recommendations that allow an organization to implement counter measures and improve the security posture of the environment. These improvements ultimately reduce the likelihood an attacker could gain access.
Consider a Penetration Testing similar to an MOT on a car, or a financial audit of your accounts.
“There are many benefits in procuring penetration testing services from a trusted, certified external company who employ professional, ethical and highly technically competent individuals. CREST member companies are certified penetration testing organisations who fully meet these requirements, having been awarded the gold standard in penetration testing, building trusted relationships with their clients.” – CREST
CREST-certified pen testing services provide assurance that the entire pen testing process will be conducted to the highest legal, ethical and technical standards. The CREST accredited penetration testing process follows best practice in key areas such as preparation & scoping, assignment execution, post technical delivery and data protection.
Only a CREST member company can deliver CREST Approved Pen Testing. It should also be kept in mind that crest approved pen testing takes on average 20% more time to complete over a regular, unregulated, penetration test.
Both penetration tests and automated vulnerability scans are useful tools for managing vulnerabilities. While these are different testing methods, they are complementary and both should be performed.
A vulnerability scan is an automated, low-cost method for testing common software, application, network and server vulnerabilities. This is sometimes referred to as an automated pen test. Many automated tools are available and most are easily configured by the end user to scan for published vulnerabilities on a scheduled basis. While an automated vulnerability scan is very efficient and cost-effective in identifying common vulnerabilities such as missing patches, service misconfigurations, and other known weaknesses, they are not as accurate in validating the accuracy of vulnerabilities nor do they fully determine the impact through exploitation. Automated scanners are more prone to reporting false positives (incorrectly reporting weaknesses) and false negatives (failing to identify vulnerabilities, especially those impacting web applications). Automated Vulnerability Scanning is mandated by the Payment Card Industry Data Security Standard (PCI DSS) as noted in requirement 11.2.
A penetration test focuses on the environment as a whole. In many ways, it picks up where the scanners leave off to provide a comprehensive analysis of the overall security posture. While scripts and tools are leveraged by a penetration tester, their use is largely limited to reconnaissance activities. The bulk of a penetration test is manual by nature. A penetration test identifies vulnerabilities scanners cannot, such as wireless flaws, web application vulnerabilities, and vulnerabilities not yet published. Further, pen testing includes attempts to safely exploit vulnerabilities, escalate privileges, and ultimately demonstrate how an attacker could gain access to sensitive information assets. Penetration testing frequently applies “test scenarios” specific to an organization as well. For example, a university may grant access to student workers, a hospital may leverage third party service providers, or a consultancy may have unique access rights for their engineers. Each of these scenarios would require different positioning of the penetration tester within the environment and requires adjustments to the methodology. Penetration testing is also mandated by the PCI DSS as noted in requirement 11.3.
Pentesting is an extremely disciplined process. A penetration testing company should keep all stakeholders well-informed through every key stage of the process. As a company seeking penetesting services, you should expect the following (at a minimum):
- A well-coordinated, planned, documented and communicated approach to know what is happening and when
- A disciplined, repeatable approach should be followed
- The approach should be customized to suit the unique environment of the business
- A clearly defined initiation process, planning process, coordinated testing and a collaborative delivery process to ensure accurate results and a clear understanding of remediation
Review the comprehensive pentest methodology and how we can streamline the process for you.
