Hedgehog Security
CREST Approved Pentesting2022-08-07T07:48:24+01:00

CREST Approved Pentesting

CREST Approved Penetration Testing helps Identify your Cyber Security weaknesses

CREST Approved Pentesting is a regulated, full-scope, multi-layered attack simulation, orchestrated from the perspective of a malicious threat actor, designed to measure how prepared your infrastructure, applications, people, processes and technologies can defend and withstand an attack from a real-life adversary, while uncovering potential risks and security vulnerabilities.

CREST Approved Pentesting is important for organisations of all sizes and the traditional style of penetration testing has done the job for many years. Now, however, a well structured and scoped penetration test needs to me more than a simple point in time test. Our CREST Approved Pentesting offering has evolved to service led offering, enable regular repeated testing quickly and easily. It is based on seven stages of testing that forms the backbone of our comprehensive penetration testing methodology.

CREST Approved Pentesting

CREST Approved Penetration Testing

We perform CREST Approved Penetration Testing, also known as CREST Defensible Penetration Testing on a daily basis to numerous clients of all shapes and sizes. These tests can be one-off tests or a part of a group of tests. We offer total flexibility to meet your testing needs. We go far beyond what you would traditionally receive in a penetration test. We provide, through our client portal, additional services that enhance your CREST Approved Penetration Test to provide that next generation of security testing coverage. But if you still need that single point in time, a traditional penetration test then we can still help.

Each CREST Approved Penetration Test is consultant-led, with support from one of the project managers. These services have the results and consultant’s narrative uploaded to the client portal where customers can interact with the findings rather than reading from a very large static report. You can also export the findings as CSV files, integrate the portal into Jira and download PDF reports.

We can test multiple different assets, from your people and internal business processes to web and mobile applications, brochure sites, social engineering and phishing, industrial control systems, internal and external infrastructure, cloud services of all kinds and more. We can also perform Cyber Attack Simulations in a CREST accredited role.

Talk To A Security Specialist

Book a free consultation with a security specialist to discuss your current concerns or security requirements.

Hedgehog Security needs the contact information you provide to us to contact you. You may unsubscribe from these communications at any time.  By clicking "Request Callback" below you agree for us to store and process your data.  For information on how to unsubscribe please review our Privacy Policy.

Cyber Security Consulting

Penetration Testing

SOC as a Service

Cyber Essentials

Vulnerability Scanning

CREST Approved Pentesting as a Service

CREST Approved Pentesting

We offer Penetration Testing as a Service in addition to a more traditional point-in-time penetration test. Our CREST Approved Penetration Testing as a Service is built on our standard penetration test and uses our client test portal to the max. No more waiting around until the end of a penetration test to see your results. With our penetration testing as a service model, you can interact directly with your penetration test team through the portal, see the results in real-time, address those results, request retests and discuss issues with your testers, all in the portal.

Our service also enables you to see your results over time, assess which of your issues require immediate remediation and monitor risk scores as they evolve. Using our Penetration testing service model enables your business to enhance its security with your very own penetration testing team. Available direct to you twenty fours hours a day, seven days a week.

Penetration Testing Methodology

Our CREST Approved Penetration Testing methodology follows the MITRE ATT&CK framework and the National Institute of Standards and Technology Special Publication (NIST-SP​-800-115), along with the latest Techniques, Tactics, and Procedures (TTPs) used by attackers.

The first stage in the seven stages of penetration testing is information gathering. The tested organisation will provide the penetration tester with general information about in-scope targets. The data can range from IP addresses, hostnames, application details, or simply the company name. The supplied data will depend mainly on the perspective of the penetration test and the amount of time the client wishes to be spent testing. From a tester’s point of view, the more information the client provides, the better, as it reduces the time needed for reconnaissance and increases the time spent testing.

We use the information gathered in the initial stage to collect additional details from publicly accessible sources. These sources could be Open Source intelligence sources or hidden away deeper on the internet. The reconnaissance stage is essential to a successful penetration test by allowing penetration testers to identify additional information overlooked, previously unknown, or not provided. This step is beneficial in internal and external network penetration testing; however, we don’t typically perform this reconnaissance in web, IoT, VPN/Remote Working, API, or mobile application penetration testing.

The information gathered in the reconnaissance phase is used to perform discovery activities to determine things like ports and services available for targeted hosts or subdomains available for web applications. During this phase, we will start to map a visual representation of your technology deployment and identify weaknesses in configurations. Depending on the scope of the penetration test, we may attempt limited brute-forcing of login services using usernames that have been enumerated in the reconnaissance and the information gathering phases.

Validate Vulnerabilities and perform Exposure Analysis. We identify vulnerabilities, flag false positives, and analyze all vulnerabilities based on their potential to be exploited and used maliciously against the organization. This is performed using manual and automated vulnerability scanning techniques. Quite often you will find very cheap pricing for Penetration Testing and this is typically where you are being sold nothing more than a vulnerability scan dressed up to look like a penetration test. For more information on this, see our blog article on the dangers of cheap penetration testing.

It is in exploitation where the action happens, which looks to many to be that “Hollywood” moment! It is the single largest consumer of testing time. It is where every penetration tester wishes they could spend 100% of their time.

The exploitation phase is where our team interprets the results from the vulnerability assessment and collates all the data from all the previous stages to identify exploitation pathways. Our expert penetration testers then use several manual techniques and human intuition to validate, attack and exploit those vulnerabilities. It is not uncommon for our pentesters to spend time researching potential vulnerabilities and creating new, never before seen exploits. This call of exploit is commonly called a zero-day. Over the years, we have authored well over 100 zero-day exploits that have then been shared with the system vendor or software to enable them to fix the issue.

The overall goal is to gain access to sensitive information or get a foothold onto systems to pivot access. Where system access is obtained, there is a lot of work involved to ensure a level of persistence and to elevate the entire system’s permissions can be assessed. At this point, we often start to identify internal process weaknesses such as weak passwords, incorrect security configurations, and inadequate patching regimes.

The “giant loop” starts when access is achieved, and the accessed system gets sent back at Phase 3. The loop continues for as long as new systems are compromised or the testing window remains open.

When you work with Hedgehog on security testing, we deliver our findings continuous through our interactive testing portal. You download your final report in PDF and XLS formats in this portal. This comprehensive report includes narratives of testing and how we found vulnerabilities and exploited them. The report also contains details of the scope, the testing methodologies, in-depth findings details, and recommendations for remediation. We also include details of where findings will cause issues against standards such as Cyber Essentials, PCI-DSS and ISO27001.

The final stage of the seven stages of penetration testing is most important. It would be best to use the findings to create a risk led remediate program. You should rank vulnerabilities, analyse the potential impact of vulnerabilities found, determine remediation strategies, and inform decision-making moving forward.

The Hedgehog security testing methodology is unique and efficient. It does not rely on a static checklist and standard techniques and assessment methods built into “automated” pentesting software. It relies heavily on the experience and the skills of your penetration tester. Effective penetration testing requires a diligent effort to find enterprise weaknesses, just like a malicious individual would. We’ve developed these seven stages of penetration testing because we’ve proven that they prepare organisations for attacks and fix areas of vulnerability.

Frequently Asked Questions (FAQ)

What is CREST accredited penetration testing?2022-07-26T10:45:57+01:00

CREST accredited penetration testing (also referred to as pentesting, pen testing and the often confusing PEN testing. (No, we do not know why people capitalise the shortening of Penetration either)) is a type of ethical or white hat hacking engagement designed to identify and address security vulnerabilities in your people, processes and technology. Most often a penetration test is focused on an element of your technology, such as networks, systems and applications. Pen testing takes different forms and can cover many areas. However, not all penetration testing companies work to the same standards, so there can be an inherent risk in allowing a provider to access important assets and data.

CREST penetration test is an assessment conducted by a CREST-accredited provider. CREST accreditation demonstrates that a company conducts and documents penetration testing in accordance with the highest legal, ethical and technical standards.

In order to perform CREST accredited testing, a testing company must have in place the following:

  • ISO9001 certification
  • ISO27001 certification
  • Cyber Essentials certification
  • Cyber Essentials Plus certification
  • Professional Liability insurance
  • Public Liability insurance
  • Crest Registered Testers on staff
  • A fully documented complaints process

This all takes time and investment which is why you will find that CREST accredited penetration testing costs more than run-of-the-mill, off-the-shelf penetration testing that can be purchased from the unregulated testing market.

What are the benefits of CREST penetration testing?2022-07-24T10:42:31+01:00

CREST accredited penetration testing offers a number of advantages, including:

1. Highly trained security professionals

CREST penetration testing is typically carried out by, or under the supervision of, CREST-registered penetration testers. CREST-registered or certified penetration testers are required to pass a series of rigorous exams to prove their skill, knowledge and competence and must re-sit them every three years. CREST pen testers also have to complete between 6,000 hours (CREST-registered) and 10,000 hours (CREST-certified) of regular and frequent professional experience in the form of a pentest.

2. Greater customer assurance

Companies are often asked to demonstrate the security and safety of their data to their customers. Using a CREST accredited penetration testing provider to deliver crest accredited penetration testing enables them to prove that they are adhering to security best practices to protect their data. Commissioning a CREST member company may also provide a commercial advantage when bidding for contracts.

3. Supports regulatory compliance

A CREST accredited penetration testing engagement supports information security requirements such as the GDPR, ISO 27001, the Network and Information Systems Directive & Regulations (NIS Regulations) and the Payment Card Industry Data Security Standard (PCI DSS). A pentest may be specified directly by a particular regulation or indirectly by the need to assess and evaluate the effectiveness of technical and organisational controls.

4. Globally recognised accreditation

CREST accredited penetration testing is valid and recognised around the world. This provides valuable assurance for companies with a global presence or for those working with overseas customers. Using a pen testing provider which lacks accreditation or whose certification is limited to the UK may limit outcomes and credibility.

5. Up-to-date expertise

The threat landscape is constantly changing, as is the pentest world. To ensure that this knowledge is kept up to date, the organisational and individual CREST certification process is repeated periodically. Member organisations are regularly updated by CREST about the latest developments in technical information assurance and participate in member workshops and events.

Why choose a CREST-accredited provider for pen testing?2022-07-24T10:37:18+01:00

“There are many benefits in procuring penetration testing services from a trusted, certified external company who employ professional, ethical and highly technically competent individuals. CREST member companies are certified penetration testing organisations who fully meet these requirements, having been awarded the gold standard in penetration testing, building trusted relationships with their clients.” – CREST

CREST-certified pen testing services provide assurance that the entire pen testing process will be conducted to the highest legal, ethical and technical standards. The CREST accredited penetration testing process follows best practice in key areas such as preparation & scoping, assignment execution, post technical delivery and data protection.

Only a CREST member company can deliver CREST Approved Pen Testing. It should also be kept in mind that crest approved pen testing takes on average 20% more time to complete over a regular, unregulated, penetration test.

What is a CREST-certified company?2022-07-24T10:36:00+01:00

Every CREST member company is required to submit policies, processes and procedures relating to their service provision to CREST for assessment. Gaining and maintaining CREST certification is an ongoing process rather than a one-time step – member organisations are required to submit an application annually, with a full reassessment required every three years.

Each CREST member company signs up to a binding and enforceable company code of conduct, which includes processes for resolving complaints.

Only a CREST member company can deliver CREST Approved Pen Testing. It should also be kept in mind that crest approved pen testing takes on average 20% more time to complete over a regular, unregulated, penetration test.

Who is CREST?2022-07-24T10:30:31+01:00

The Council for Registered Ethical Security Testers (CREST) is an international not-for-profit accreditation and certification body which represents and supports the technical information security market. CREST provides internationally recognised accreditation for organisations and professional level certification for individuals who provide penetration testing and other services such as cyber incident response, threat intelligence and Security Operations Centre (SOC) services. To achieve CREST accreditation, companies must undergo a rigorous assessment of business processes, data security and security testing methodologies.

Only CREST member companies can perform CREST accredited penetration testing.

Does your Pentest satisfy ‘x’ Compliance Requirements?2022-07-24T10:00:00+01:00

A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple pentesting compliance standards including PCI, HIPAA, SOC2, and others.  That said, each compliance standard is different. For example CREST Approve pen testing requires specific tester qualifications. These requirements should be discussed before moving forward. Contact us for more details.

How much of your Penetration Testing is Automated vs. Manual?2022-07-24T10:01:10+01:00

A question not enough people ask is how much of the testing is automated vs. manual. While automated tools are a brief step early in our process, a large majority of our testing is manual. The amount of manual work varies project-to-project, but around 80% of the pentest is hands-on for large infrastructure pentests. For web application penetration tests, it is around 95% of the pentest that is hands-on. It is safe to assume that for CREST approved pen testing, the hands on level is higher still.

This isn’t to say automated vulnerability scanners don’t have a place; Vulnerability scans are quick and simple tools that should be used on a regular basis to identify missing patches or outdated software in larger unknown environments.

How soon can you start on my project?2022-07-24T09:53:49+01:00

We understand that clients often have hard deadlines that they’re trying to meet. Whether you’re trying to meet client requirements which rely on pentest results or have an annual requirement, we do best to accommodate your timelines. Unfortunately, manual penetration testing takes some planning & preparation for our assessment team and our schedule can be filled as much as 2-6 weeks out.

With that said, if you have an urgent project feel free to contact us about timelines.  Depending on needs and timelines, we may have the ability to pull resources off of a research project & get started immediately.

Should we fix all of the vulnerabilities that are reported?2022-07-24T09:52:49+01:00

You should evaluate all of the vulnerabilities using a risk-based model first. Each vulnerability should be evaluated for business impact and probability of being exploited to ultimately assign a risk rating. Companies should have risk criteria defined in order to determine thresholds for remediation. Vulnerabilities above the threshold should be remediated or appropriately compensated for in order to bring them within tolerable risk levels. A vulnerability that is within an acceptable threshold may not require remediation and instead may simply be monitored over time in case the risk level changes. The penetration test or vulnerability scan deliverables should contribute to this process. In certain compliance situations, specific vulnerabilities may be viewed as compliance gaps; and those gaps typically are either remediated or compensating controls are put in place when remediation is not possible.

We have our website hosted with a third party. Should we test it?2022-07-24T09:51:36+01:00

Maybe – Is anyone testing the third party already? The first thing to do is to find out if the third party service provider is already having a reputable network penetration test provider review the website. If so, due diligence is needed to validate the scope is appropriate, review the methodology, and understand if any key findings were observed. An organization should confirm when it was last tested, when it will next be tested, and if there are any security vulnerabilities that were determined to be tolerable by the hosting provider.

If the third party is not testing the site, or if the testing being performed is not adequate, then yes, the site needs to be tested. Obtain the third party’s permission, as they should be involved in planning, to ensure that the site is tested safely and coordinated appropriately. If the third party won’t allow testing, one should strongly consider obtaining a “right to audit” clause in their contract or locate another hosting provider that accommodates the need for ongoing vulnerability management, including network and web penetration testing.

How do we prepare for a penetration test?2022-07-24T10:02:17+01:00

In general, there is no need for anything special to prepare for a penetration test with respect to how security controls are managed on a day-to-day basis. Remember that a penetration test is a point in time review of the environment. The test is going to assess the security posture at that particular point in time. If patches are deployed every Wednesday, for example, there is no need to change this behavior to accommodate the penetration test itself. If the results of the infrastructure penetration test determine this process requires attention, then that would be the appropriate time to adjust.

An organization should expect to participate in preparation activities related to planning the penetration test itself to ensure the test can be performed under controlled conditions. Some preparation related to positioning the tester may also be needed, specifically when testing is being performed onsite.

The hiring company should be prepared to participate in the planning and coordination activities and be ready to have documentation available that details the in-scope IP ranges for testing when pen testing is being performed. Also be ready to prepare test environments and to support test scenarios defined in the scope. During internal infrastructure penetration tests, oftentimes visitor access badges are required for the penetration testers. Otherwise, there is not much else that is needed to be done prior to the test.

How do we validate vulnerabilities have been remediated?2022-07-24T09:48:08+01:00

Validating that vulnerabilities have been remediated can be performed using a variety of methods, either in-house or through external independent verification testing. Some organizations prefer to track remediation in-house and possess the resources to independently validate successful remediation, however most seek independent validation and should have a remediation verification test performed. This is why it is critical that a penetration test and a vulnerability assessment be performed in a repeatable manner. Of equal importance is that the individual validating remediation is not the same individual that performed the remediation. Checking one’s own work is not as reliable as having an independent individual check that person’s work.

What penetration test documentation or reporting should I expect to receive when the test is complete?2022-07-24T09:46:17+01:00

Once the penetration test is complete, you should receive pen test documentation in a report or deliverable detailing all of the findings, recommendations, and supporting evidence. The deliverable should clearly document the scope and boundaries of the engagement as well as the dates the pen testing was performed. Additionally, all detailed findings should be included in their technical format as well as summarized for non-technical audiences. The report should include:

    • Detailed recommendations for improvements that clearly document observed vulnerabilities
    • A discussion of the potential business impacts from identified vulnerabilities
  • Specific instructions for remediating, including instructional references where appropriate
  • Supporting evidence and examples
  • A step-by-step and screen-by-screen walkthrough demonstrating any exploits to allow an organization to understand and reproduce the scenario
  • Executive and summary reports for non-technical audiences

Oftentimes, a separate deliverable is needed that is suitable for consumption by third parties seeking attestation that a network penetration test was performed. A qualified penetration test provider prepares these documents as part of the process when requested by an organization. All deliverables should be of high quality and reviewed with the customer to validate accuracy and ensure recommendations are well understood.

What qualifications should the penetration testing team possess?2022-07-24T10:11:31+01:00

When a penetration testing provider is hired, the hiring company should expect that every penetration test team includes a dedicated project manager, a skilled and experienced test team, resource coordinator(s), and a point of escalation. The test team should include individuals with in-depth experience across multiple technologies including client platforms, server infrastructures, web application development, and IP networking. The individuals on the team should hold valid certifications relevant to their role such as Offensive Security Certified Professional (OSCP), CREST Registered Tester (CRT), Certified Information Systems Security Professional (CISSP) or equivalent credentials.

When CREST accredited penetration testing is being performed, a CREST CRT tester is used. CREST approved pentesting can be performed on all types of test. Network penetration test is being performed to comply with a regulatory requirement, additional experience or certification is required to ensure the approach is appropriate and the results are presented in the correct context. For example, a penetration test performed to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirement 11.3 is best delivered by individuals with PCI QSA and PCI PA-QSA credentials. Many skilled penetration testers also typically possess other technology certifications to demonstrate their knowledge and proficiency.

What are the different options for pen testing?2022-07-24T10:10:31+01:00

The most common areas selected for pentesting scope typically include external networks, internal networks, web applications, wireless networks, and employee security awareness (through social engineering). These are typically all performed as part of a single engagement, but differ in their testing approach.

Web Application Pentest: Based on the sensitivity or value of a web application, an in-depth review is appropriate. There are over 100 specific areas reviewed within each web application. Testing initially begins with conducting information gathering followed by testing configuration and deployment management, identity management, authentication, authorization, session management, data validation, error handling, cryptography strength, business logic, client side security, and other development language specific tests as appropriate. Hedgehog Security’s approach to assessing web applications provides a flexible framework for comprehensively identifying and evaluating technical vulnerabilities. Testing is typically performed with prior knowledge to ensure a deep understanding of the purpose of the application. Credentials are provided to facilitate a review not only from the perspective of an unauthorized user, but also to identify potential authenticated risks such as privilege escalation from an authorized user’s perspective.

External Network Pentest: External network penetration tests focus on the internet facing network as a whole. It begins with reconnaissance to identify potential targets. Any responding network, host, or service may be targeted as a potential entry point into the secured network. While web applications identified may be utilized to gain entry, network penetration testing goes much broader to explore any exposed service and the relationships between them. Vulnerabilities leveraged are pursued to exploit weaknesses and escalate privileges into the internal network.

Internal Network Pentest: Internal network penetration tests are very similar to external penetration tests with the exception of perspective. While an external penetration test is performed remotely to simulate an external attacker, an internal penetration test is performed internal to the network from behind the perimeter firewalls. The general approach is the same as an external penetration test, however the target systems and networks are very different. Performing onsite testing allows the penetration tester to target hosts not exposed externally such as file servers, user workstations, domain controllers, internal application servers, databases, and other connected devices.

Wireless Pentesting: Wireless penetration tests assess the adequacy of multiple security controls designed to protect unauthorized access to your wireless services. Testing analyzes and attempts to exploit wireless vulnerabilities to gain access to private (protected) wireless SSIDs authorized for testing. Additional test scenarios may be performed, such as when guest wireless access is provided to visitors with expectations that access is limited in some way.

Social Engineering (Human Pentesting): Remote social engineering is a remote assessment performed under controlled conditions designed to validate the effectiveness of user security awareness and incident response processes. Testing includes leveraging a carefully crafted fictitious “malicious” website, email campaigns to targeted employees, phone contact, or through other customized attack scenarios. This is commonly performed shortly after security awareness training or education campaigns to validate their effectiveness.

CREST Approved Pen Testing: CREST approved pen testing is typically needed within regulated market places such as healthcare, local government, financial services etc. Any type of test can be delivered as a CREST approved pen testing engagement, it needs to be defined well before hand so that the appropriate resources are available. All crest accredited penetration testing engagements use CREST CRT qualified staff.

Remediation Verification: Remediation verification testing validates identified vulnerabilities have been successfully remediated, providing independent confirmation that corrective measures have been implemented in a manner that prevents exploitation.

Consider a Recurring Pentesting program to assess your safeguards throughout the year for a proactive security approach and manage your risks.

How is the scope of a penetration test defined?2022-07-24T09:41:42+01:00

Collaboratively, the scope of a penetration test should always be customized to suit the unique nature of the business and understanding of their risk profile. A variety of considerations, both internal and external to an organization, impact and guide the scope of a penetration test:

  • The nature of the business and types of products/services offered
  • Compliance requirements and deadlines
  • Geographic considerations
  • Organizational structure
  • The organization’s strategic plans
  • Customer expectations, especially when an organization acts as a custodian of that customer’s data
  • The value of the company’s assets
  • Redundancy in the environment that may impact sampling thresholds
  • Network segmentation and connectivity
  • The age of different components of the environment
  • Recent or planned changes to the environment

All of these factors need to be discussed and understood to make sure that the scope is appropriate and to ensure that the testing is focused in the areas of the environment that warrant it.

How often should we conduct a penetration test?2022-07-24T10:13:47+01:00

It depends, as a variety of factors should be thought-through when considering the frequency to conduct penetration tests. When determining what is appropriate include considerations such as:

  • How frequently the environment changes: Tests are often timed to correlate with changes as they near a production ready state.
  • How large the environment is: Larger environments are frequently tested in phases to level the testing effort, remediation activities, and load placed on the environment.
  • Budgetary factors: Testing should be scoped to focus on the most critical assets according to a timeline that is supported by the allocation of security budgets.

Remember that the frequency of the pentesting needs to be adjusted to meet the unique needs of the organization; and it’s important that those needs are understood and incorporated into the testing approach from the beginning.

Performing a Pentest too infrequently allows for a window that increases an organization’s exposure to risks. On the other hand, if testing is done too frequently, there is inadequate time to remediate before testing resumes. Therefore it is important to strike a balance.

Companies that recognize the importance of pentesting, especially crest accredited penetration testing, will implement testing on a recurring basis. Recurring pentest programs allow the schedule to be more adaptable and is better suited to take these factors into consideration. Recurring pen testing programs also allow companies to spread the tests out over a longer horizon and increase frequency to narrow the window for exposure. Explore Recurring PenTesting for your organization to have ongoing verification of your safeguards and to proactively manage your risks.

Is pen testing disruptive to our environment? Will our systems go down? What is the pen testing plan?2022-07-24T10:14:54+01:00

If the pentest is not properly planned and coordinated, it can be disruptive. This is why it is imperative that the planning is done properly, and comprehensively, to identify potential risks for disruption and adjust the approach accordingly. This planning should be conducted well in advance of any testing start date of any pentest in order to ensure adequate time for communication to project stakeholders. The communication and monitoring should continue throughout the pen testing schedule.

What should we expect from the penetration testing process?2022-07-24T10:15:59+01:00

Pentesting is an extremely disciplined process. A penetration testing company should keep all stakeholders well-informed through every key stage of the process. As a company seeking penetesting services, you should expect the following (at a minimum):

  • A well-coordinated, planned, documented and communicated approach to know what is happening and when
  • A disciplined, repeatable approach should be followed
  • The approach should be customized to suit the unique environment of the business
  • clearly defined initiation process, planning process, coordinated testing and a collaborative delivery process to ensure accurate results and a clear understanding of remediation

Review the comprehensive pentest methodology and how we can streamline the process for you.

Why should we have a penetration test performed?2022-07-24T10:17:49+01:00

A Pentest should be performed for a variety of reasons. Some of the more common reasons why companies perform network penetration tests include:

  • Most relevant regulatory standards require that a pentest is performed.
  • Pentesting can identify vulnerabilities inadvertently introduced during changes to the environment, such as a major upgrade or system reconfiguration.
  • Pentesting can be integrated into the QA process of the Software Development Life Cycle to prevent security bugs from entering into production systems.
  • Organizations, especially those acting as data custodians, are being required to have testing performed by their customers. Penetration testing can demonstrate a commitment to security from a customer perspective and provide attestation that their assets or services are being managed securely.
  • Pentesting is a common requirement for internal due diligence as part of ongoing efforts to manage threats, vulnerabilities, and risks to an organization. Results can be used as input into an on-going Risk Management process.
  • Pentests allows companies to assess the security controls of potential acquisition targets. Most organizations preparing to acquire an organization seek insights into the vulnerabilities they may introduce in doing so and plan for the costs they may be incurring to remediate.
  • To support a breach investigation, penetration testing may tell an organization where the other vulnerabilities may exist in order to have a comprehensive response to the incident.
  • Pentests allows companies to proactively assess for emerging or newly discovered vulnerabilities that were not known or have not yet been widely published.
  • APentest serves as an aid to development teams who are writing new web applications. Many development lifecycles include penetration testing at key stages of the process. Correcting flaws are typically less costly the earlier in the development lifecycle that they are discovered. Additional testing prior to go-live on a production-ready build can identify any remaining issues that might require attention before loading users on the application.

 

What are the goals of a penetration test?2022-07-24T10:18:57+01:00

Goals of a pentest vary greatly based on the scope of review. Generally speaking, the goal of a pentest is to validate the effectiveness of security controls designed to protect the system or assets being protected.

A Pentest should always document the goals of the project. Pentesting reports and deliverables outline the expectations, scope, requirements, resources, and results. Samples available upon request.

How does a penetration test differ from an automated vulnerability scan?2022-07-24T09:35:21+01:00

Both penetration tests and automated vulnerability scans are useful tools for managing vulnerabilities. While these are different testing methods, they are complementary and both should be performed.

vulnerability scan is an automated, low-cost method for testing common software, application, network and server vulnerabilities. This is sometimes referred to as an automated pen test. Many automated tools are available and most are easily configured by the end user to scan for published vulnerabilities on a scheduled basis. While an automated vulnerability scan is very efficient and cost-effective in identifying common vulnerabilities such as missing patches, service misconfigurations, and other known weaknesses, they are not as accurate in validating the accuracy of vulnerabilities nor do they fully determine the impact through exploitation. Automated scanners are more prone to reporting false positives (incorrectly reporting weaknesses) and false negatives (failing to identify vulnerabilities, especially those impacting web applications). Automated Vulnerability Scanning is mandated by the Payment Card Industry Data Security Standard (PCI DSS) as noted in requirement 11.2.

penetration test focuses on the environment as a whole. In many ways, it picks up where the scanners leave off to provide a comprehensive analysis of the overall security posture. While scripts and tools are leveraged by a penetration tester, their use is largely limited to reconnaissance activities. The bulk of a penetration test is manual by nature. A penetration test identifies vulnerabilities scanners cannot, such as wireless flaws, web application vulnerabilities, and vulnerabilities not yet published. Further, pen testing includes attempts to safely exploit vulnerabilities, escalate privileges, and ultimately demonstrate how an attacker could gain access to sensitive information assets. Penetration testing frequently applies “test scenarios” specific to an organization as well. For example, a university may grant access to student workers, a hospital may leverage third party service providers, or a consultancy may have unique access rights for their engineers. Each of these scenarios would require different positioning of the penetration tester within the environment and requires adjustments to the methodology. Penetration testing is also mandated by the PCI DSS as noted in requirement 11.3.

What is Penetration Testing?2022-07-24T09:31:26+01:00

penetration test, also known as a “pen test” is a method for evaluating the effectiveness of an organization’s security controls. Testing is performed under controlled conditions, simulating scenarios representative of what a real attacker would attempt. When gaps are identified in a security control, a penetration test goes beyond basic vulnerability scanning to determine how an attacker would escalate access to sensitive information assets, confidential information, personally identifiable information (PII), financial data, intellectual property or any other sensitive information. Penetration testing utilises pen test tools and techniques, guided by a disciplined and repeatable methodology, resulting in a report containing detailed findings and recommendations that allow an organization to implement counter measures and improve the security posture of the environment. These improvements ultimately reduce the likelihood an attacker could gain access.

Consider a Penetration Testing similar to an MOT on a car, or a financial audit of your accounts. 

Go to Top