Archive
How much time is needed to perform a typical penetration test?
Adequate time should be reserved in advance of a penetration test for planning activities. Additional time should be allocated after testing for report development and subsequent review meetings including remediation discussions. The entire effort varies greatly based on the size and complexity of the network penetration test. The larger or more complex the environment is, the more effort is required. The duration of the test, however, is very controllable. The duration of the test should be compressed to ensure a good, representative view of the environment at a given point in time.
Generally speaking, four to six weeks is a good estimate for the duration of the entire engagement from planning through final delivery. The actual test itself typically varies from one to two weeks depending on the size of the environment. It is very rare for a test to take longer than two weeks and when an environment is large, a larger pen test team should be assigned to keep the test window to one to two weeks max. For larger or more complex environments, testing may be broken into phases.
Consider a Penetration Testing program to assess your safeguards throughout the year for a proactive security approach.
How do we prepare for a penetration test?
In general, there is no need for anything special to prepare for a penetration test with respect to how security controls are managed on a day-to-day basis. Remember that a penetration test is a point in time review of the environment. The test is going to assess the security posture at that particular point in time. If patches are deployed every Wednesday, for example, there is no need to change this behavior to accommodate the penetration test itself. If the results of the network penetration test determine this process requires attention, then that would be the appropriate time to adjust.
An organization should expect to participate in preparation activities related to planning the penetration test itself to ensure the test can be performed under controlled conditions. Some preparation related to positioning the tester may also be needed, specifically when testing is being performed onsite.
The hiring company should be prepared to participate in the planning and coordination activities and be ready to have documentation available that details the in-scope IP ranges for testing when pen testing is being performed. Also be ready to prepare test environments and to support test scenarios defined in the scope. During internal onsite network penetration tests, often times visitor access badges are required for the penetration testers. Otherwise, there is not much else that is needed to be done prior to the test.
What is the difference between “Ethical Hacking” and other types of hackers and testing I’ve heard about?
It depends on who you ask; you shouldn’t put a lot of stock into these since no industry accepted standard for these terms exist. For example, the approach of the test may be referred to as “Ethical Hacking” (implying legitimacy of the approach), “Black Box Testing” (implying a covert, unassisted, test), “White box Testing” (implying an assisted, non-covert test), or any variety of shades of gray along the way.
These are terms cleverly used for marketing purposes and should not be considered when forming a basis of the qualifications of the test team. When selecting a team to perform the test, the company should focus on the credentials of all team members on the project, their experience, peer references from those that have worked with them, and ultimately that their approach and methodology is industry accepted. These characteristics are what matters to ensure a test is performed safely, comprehensively, and can be relied on.
In the ever-changing world of cyber security, new terms and names are continually being invented to describe a penetration test. Our recommendation is to call a “penetration test” by what it is…a “penetration test”.
My customer wants to see the results of our penetration test. Should I share the penetration test report with outside parties?
It is not a good idea to send results outside of your company; a penetration test report contains extremely sensitive information that is highly confidential and should only be made available to trusted internal resources on a “need-to-know” basis. Sharing detailed reports with external individuals is not recommended. Once the penetration test report is shared with an external party, control over its distribution is difficult to guarantee. A penetration test report can be a roadmap to an organization’s vulnerabilities and should not be distributed outside unless absolutely necessary.
A network penetration tester should provide a summary version of the report that details scope, approach, qualifications and categorical results. This summary report is more appropriate for an organization to share. It is common to include summary remediation plans if applicable but ultimately, the third party needs to receive documentation that gives them comfort that there is a mature, ongoing testing program that is proactively assessing the environment, and that key findings are being appropriately addressed. Providing the external party specific test details could present a significant security risk. A summary deliverable can be provided to third parties that provides insight into the testing without revealing sensitive details. Samples of HALOCK pen test deliverables available upon request.
Can we do our own penetration testing?
It depends, as assigning internal resources may be a viable approach in certain situations; however, if the business is considering performing in-house penetration testing, the following should be considered first:
- The penetration testers on staff should be experienced, trained, and familiar with a variety of technologies.
- The penetration test team should have a different reporting structure than engineering or implementation teams. Separation between those managing the environment and those testing the environment is crucial. No one, no matter how skilled, can objectively test their own work.
- Some regulatory bodies have independence requirements that may require organizational changes or additional layers of oversight before they view the test as truly independent. These considerations should be explored to determine if they apply.
- A repository of commercial and open source tools should be obtained and updated regularly. As the costs for these tools can be significant, this should be included as part of the decision to avoid unexpected penetration testing costs.
- On-staff experienced project management capabilities are needed, especially in larger organizations where coordinating with various business units is needed prior to the test beginning.
- Continued training and ongoing monitoring of newly discovered vulnerabilities and threats is necessary.
- Staying current and up-to-date with testing methodologies, planning and deliverable artifacts is also necessary.
- Penetration testers should have access to a dedicated test lab for developing and testing exploits prior to their use in a production environment.
If these assets are available to an organization or the cost to obtain and maintain them is lower than leveraging a third party, it may be more cost-effective to perform network penetration testing in house. More often than not, it is far more cost-effective to leverage a third party that is already equipped for network penetration testing.
What are typical costs for a penetration test?
The cost for penetration testing varies greatly.
A number of factors are used to determine pen test pricing including, but not limited to the scope of the project, the size of the environment, the quantity of systems, and the frequency of testing. It is critical to have a detailed scoping meeting to produce a very clear understanding of the needs, and develop a statement of work prior to engaging any penetration test. Ideally a penetration test should be performed on a fixed-fee basis to eliminate any unexpected costs or unplanned expenditures. The quoted fee should include all labor and required testing tools. Statements of work (SOWs) that only provide estimates of the work effort should not be entertained.
Should we fix all of the vulnerabilities that are reported?
You should evaluate all of the vulnerabilities using a risk-based model first. Each vulnerability should be evaluated for business impact and probability of being exploited to ultimately assign a risk rating. Companies should have risk criteria defined in order to determine thresholds for remediation. Vulnerabilities above the threshold should be remediated or appropriately compensated for in order to bring them within tolerable risk levels. A vulnerability that is within an acceptable threshold may not require remediation and instead may simply be monitored over time in case the risk level changes. The network penetration test deliverables should contribute to this process. In certain compliance situations, specific vulnerabilities may be viewed as compliance gaps; and those gaps typically are either remediated or compensating controls are put in place when remediation is not possible.
We have our website hosted with a third party. Should we test it?
Maybe – Is anyone testing the third party already? The first thing to do is to find out if the third party service provider is already having a reputable network penetration test provider review the website. If so, due diligence is needed to validate the scope is appropriate, review the methodology, and understand if any key findings were observed. An organization should confirm when it was last tested, when it will next be tested, and if there are any security vulnerabilities that were determined to be tolerable by the hosting provider.
If the third party is not testing the site, or if the testing being performed is not adequate, then yes, the site needs to be tested. Obtain the third party’s permission, as they should be involved in planning, to ensure that the site is tested safely and coordinated appropriately. If the third party won’t allow testing, one should strongly consider obtaining a “right to audit” clause in their contract or locate another hosting provider that accommodates the need for ongoing vulnerability management, including network penetration testing.
How do we validate vulnerabilities have been remediated?
Validating that vulnerabilities have been remediated can be performed using a variety of methods, either in-house or through external independent verification testing. Some organizations prefer to track remediation in-house and possess the resources to independently validate successful remediation, however most seek independent validation and should have a remediation verification test performed. This is why it is critical that a penetration test be performed in a repeatable manner. Of equal importance is that the individual validating remediation is not the same individual that performed the remediation. Checking one’s own work is not as reliable as having an independent individual check that person’s work.
What penetration test documentation or reporting should I expect to receive when the test is complete? How are the findings documented?
Once the penetration test is complete, the hiring company should receive pen test documentation in a report or deliverable detailing all of the findings, recommendations, and supporting evidence. The deliverable should clearly document the scope and boundaries of the engagement as well as the dates the pen testing was performed. Additionally, all detailed findings should be included in their technical format as well as summarized for non-technical audiences. The report should include:
- Detailed recommendations for improvements that clearly document observed vulnerabilities
- A discussion of the potential business impacts from identified vulnerabilities
- Specific instructions for remediating, including instructional references where appropriate
- Supporting evidence and examples
- A step-by-step and screen-by-screen walkthrough demonstrating any exploits to allow an organization to understand and reproduce the scenario
- Executive and summary reports for non-technical audiences
Oftentimes, a separate deliverable is needed that is suitable for consumption by third parties seeking attestation that a network penetration test was performed. A qualified penetration test provider prepares these documents as part of the process when requested by an organization. All deliverables should be of high quality and reviewed with the customer to validate accuracy and ensure recommendations are well understood.