With so many types of penetration testing on offer, it can be difficult to ascertain which assessment meets the needs of your business.
Cyber security pen testing can vary widely, covering applications, wireless, network services and physical assets. These could include internal and external infrastructure testing, web or mobile application testing, API testing, cloud and network configuration reviews, social engineering and even physical security testing.
This blog attempts to cut through the industry jargon to provide all the information you need to identify the right pen test/VAPT for your organisation, including the important question of whether you require a black box, white box or grey box testing style.
What is pentesting?
A pen test is a form of ethical cyber security assessment aimed at finding, investigating and remediating vulnerabilities in a company’s network or applications. Pen testing harnesses the same tactics, techniques and procedures (TTPs) as cyber criminals to simulate a genuine attack against an organisation, enabling them to understand whether their security controls are robust enough to withstand different kinds of threats.
Pen testing can simulate a range of attack vectors, depending on whether it is performed externally or internally. The goals and results of each pen test is defined by the needs of the organisation being tested. The level of information given to the penetration tester about the environment or systems they are due to test is determined by the type of assessment. In brief, while in white box penetration testing, the tester will have all of the network and system information, with grey box penetration testing, the tester is only given a limited amount of information. In a black box penetration test, the tester receives no information at all, to simulate the approach of a real-life attacker.
Types of penetration testing
Before selecting a suitable provider, it’s important to be familiar with the types of cyber security pen tests available, as engagements vary in focus, depth and duration. Common ethical hacking engagements include:
1. Internal & External Network Penetration Testing
An assessment of on-premise and cloud network infrastructure, including firewalls, system hosts and devices such as routers and switches. Can be framed as either an internal penetration test, focusing on assets inside the corporate network, or an external penetration test, targeting internet-facing infrastructure. To scope a test, you will need to know the number of internal and external IPs to be tested, network subnet size and number of sites.
2. Wireless Penetration Testing
A test that specifically targets an organisation’s WLAN (wireless local area network), as well as wireless protocols including Bluetooth, ZigBee and Z-Wave. Helps to identify rogue access points, weaknesses in encryption and WPA vulnerabilities. To scope an engagement, testers will need to know the number of wireless and guest networks, locations and unique SSIDs to be assessed.
3. Web Application Testing
An assessment of websites and custom applications delivered over the web, looking to uncover coding, design and development flaws that could be maliciously exploited. Before approaching a testing provider, it’s important to ascertain the number of apps that need testing, as well as the number of static pages, dynamic pages and input fields to be assessed.
4. Mobile Application Testing
The testing of mobile applications on operating systems including Android and iOS to identify authentication, authorisation, data leakage and session handling issues. To scope a test, providers will need to know the operating system types and versions they’d like an app to be tested on, number of API calls and requirements for jailbreaking and root detection.
5. Build and Configuration Review
Review of network builds and configurations to identify misconfigurations across web and app servers, routers and firewalls. The number of builds, operating systems and application servers to be reviewed during testing is crucial information to help scope this type of engagement.
6. Social Engineering
An assessment of the ability of your systems and personnel to detect and respond to email phishing attacks. Gain precise insight into the potential risks through customised phishing, spear phishing and Business Email Compromise (BEC) attacks.
7. Cloud Penetration Testing
Custom cloud security assessments to help your organisation overcome shared responsibility challenges by uncovering and addressing vulnerabilities across cloud and hybrid environments that could leave critical assets exposed.
8. Agile Penetration Testing
Continuous, developer-centric security assessments designed to identify and remediate security vulnerabilities throughout the entire development cycle. This agile approach helps to ensure that every product release, whether it is a minor bug fix or a major feature, has been vetted from a security perspective.
White box vs black box vs grey box pen testing
The amount of information shared prior to an engagement can have a huge influence on its outcomes. Testing style is usually defined as either white box, black box or grey box penetration testing.
- White box penetration testing
White box penetration testing, sometimes referred to as crystal or oblique box pen testing, involves sharing full network and system information with the tester, including network maps and credentials. This helps to save time and reduce the overall cost of an engagement. A white box penetration test is useful for simulating a targeted attack on a specific system utilising as many attack vectors as possible.
- Black box penetration testing
In a black box penetration test, no information is provided to the tester at all. The pen tester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. This scenario can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would target and compromise an organisation. However, this typically makes it the costliest option too.
- Grey box penetration testing
In a grey box penetration test, also known as a translucent box test, only limited information is shared with the tester. Usually this takes the form of login credentials. Grey box testing is useful to help understand the level of access a privileged user could gain and the potential damage they could cause. Grey box tests strike a balance between depth and efficiency and can be used to simulate either an insider threat or an attack that has breached the network perimeter.
In most real-world attacks, a persistent adversary will conduct reconnaissance on the target environment, giving them similar knowledge to an insider. Grey box testing is often favoured by customers as the best balance between efficiency and authenticity, stripping out the potentially time-consuming reconnaissance phase.
How often should pen testing be conducted?
It is recommended that all organisations commission security testing at least once per year, with additional assessments following significant changes to infrastructure, as well as prior to product launches, mergers or acquisitions. Organisations with very large IT estates, who process significant volumes of personal and financial data or have strict compliance requirements to adhere to, should conduct pen tests with a higher frequency.
Organisations can also benefit from agile pen testing, or continuous pen testing, in which regular testing is integrated into the software development lifecycle (SDLC), rather than testing at infrequent points in time. While traditional pen testing has the potential to impact on product release cycles, agile pen testing aligns with the release schedule to ensure that new features are secure and don’t present risks to customers.
Choosing the right pen test provider
When commissioning a pentest, it’s important to ensure the company has the necessary expertise to not only detect a wide range of vulnerabilities, but also provide the assistance you need to remediate them as quickly as possible.
Redscan and Kroll’s team of CREST STAR, CRT, CCT INF and CCT APP accredited pen testers can be trusted to provide the comprehensive testing programmes to meet your business needs. Our experts help organisations in a range of industries uncover and address complex vulnerabilities across their internal and external infrastructure, wireless networks, web apps, mobile apps, network builds and configurations and more.
All our award-winning pen test services include complete post-test care, actionable outputs, prioritised remediation guidance and strategic security advice to help you make long term improvements to your cyber security posture.