Penetration Testing FAQ

(by Meeghan McGahan at RedTeam Security)

Why Does My Business Need Penetration Testing?

Cyber-attacks continue to plague organizations and can cost a pretty penny. According to a recent report from IBM and the Ponemon Institute, a data breach cost an average of $3.86 million in 2020. Aside from the actual cost, you need to consider compliance issues and penalties that often accompany system compromises, along with damages that don’t have a dollar amount attached but are costly nonetheless. Benefits you’ll derive from comprehensive security testing include:

• Identifying your vulnerabilities before cybercriminals do and plugging any security holes before a person with unlawful intentions finds them.
• Reducing your network downtime and avoiding the high costs of being offline for extended periods of time if a cyberattack were to occur.
• Contributing to your overall security posture and strategy by building stronger protective measures to circumvent any exploitation of technology assets, including invaluable and irreplaceable data.
• Ensuring your organization meets government and industry compliance rules, not adhering to requirements, or failing to have an acceptable incident response can lead to severe financial consequences.
• Maintaining the public’s trust by building your organization’s reputation of good security practices, positioning yourself as a security-conscious company.

Being exploited by individuals with unauthorized access is expensive. Even one security event can do extensive damage to your business. Consider the aftermath of just one phishing incident, one PCI compliance failure, or an employee inadvertently sharing information with a person fraudulently presenting themselves as someone they’re not. Any of these events highlights deficiencies in your security controls. Best to beat them to it.

How Is Penetration Testing Done?

Security professionals also known as ethical hackers, use ethical hacking techniques to flesh out any security control weaknesses before someone with malicious intentions discovers them. RedTeam Security's testing team has extensive experience conducting security testing and vulnerability assessments. As a part of our penetration testing process, our knowledgeable security experts perform attack simulations and, in the process, uncover ways outsiders can try to gain access. Our goal is to find problems so you can put a stop to a security event before it starts.

What Are The Different Types Of Penetration Testing?

Web Application Penetration Test

RedTeam Security will assess the level of cybersecurity awareness evident in the design of your web application. We will find and attempt to exploit security flaws that could allow privilege escalation, disclosure of sensitive information, injection of malicious code into trusted components, invalid transactions, and other conditions recognized as posing security risk.

Network Penetration Test

During the penetration test, RedTeam Security will identify the environment's susceptibility to threats from a malicious user, third party, or malicious hacker attempting to breach systems in an attempt to gain unauthorized access to networks, operating systems, hosts, applications, and any sensitive or restricted data. This is done by leveraging a combination of expert manual testing and commercial, open-source, and proprietary software to fulfill the test objectives. An internal network pen test can be either authenticated or unauthenticated, and each provides a different level of information.

Wireless Endpoint Penetration Test

During the penetration test, RedTeam Security will identify the susceptibility of your wireless endpoint hardware and software to threats from a malicious user, third party, or malicious hacker attempting to breach systems to gain unauthorized access to other networks, sensitive data, systems compromise, and guest device exploitation. This is done by leveraging expert manual testing and open-source testing tools to fulfill the test objectives.

Social Engineering (Email & Phone)

RedTeam Security's social engineering aims to identify risks posed to an organization related to email and phone-based social engineering attacks with the primary goal of emulating real-world phishing and other social engineering threats.

Social Engineering (Onsite)

This type of social engineering test involves our consultants being physically onsite at target locations while either overtly interacting with staff and attempting to persuade them into performing certain actions or covertly blending in to avoid being challenged.

Physical Penetration Testing

Physical penetration testing, or physical intrusion testing, will reveal real-world opportunities for bad actors (insider threat, external actors, malicious outsiders) to compromise physical security barriers in a way that may allow for unauthorized physical access to sensitive areas.

Network Vulnerability Assessment

A vulnerability assessment is a process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities of a system or systems. RedTeam Security will identify vulnerabilities within the in-scope systems, quantify their risk and prioritize them according to importance. Unlike a Penetration Test, these vulnerabilities will not be exploited.

Physical Security Operation

A physical security operation aims to measure the strength of existing physical security controls and uncover their weaknesses before bad actors can discover and exploit them. Physical security operations or physical penetration testing will reveal real-world opportunities for malicious insiders or bad actors to be able to compromise physical barriers (i.e., locks, sensors, cameras, mantraps) in such a way that allows for unauthorized physical access to sensitive areas leading up to security breaches and system/network compromise.

What Levels Of Access Are Used During Penetration Testing?

Pentesting can be performed from different levels of access. Referred to as “black box,” “grey box,” and “white box” testing, these penetration testing types are categorized based on the level of knowledge and access shared with the tester by the client.

Black Box Penetration Testing Service

A black box test simulates an average hacker without much knowledge of the internal system or network. It attempts to exploit vulnerabilities of parts of the network that the public might see. As an example, a black box test might determine if hackers could breach an eCommerce site. This is usually the fastest type of test to run. On the other hand, if this test fails to breach security, it won’t uncover internal cybersecurity issues that a more sophisticated test typically would.

Gray Box Penetration Testing Service

A gray box text rests between a black box and a white box test. Testers develop these simulations to understand issues that an average system could cause if they had bad intentions or if their login permissions were stolen. For example, a gray box test might look for application vulnerabilities in an information system that employees generally use.

White Box Pen Testing Service

Since organizations need to account for internal threats or stolen login permissions, they may choose a white box test to see if people with strong credentials could create mischief if they were so inclined. For example, these tests might determine the issues a hacker who obtained the login information from somebody in IT or IS. This kind of test typically takes the longest to plan and run, but it can offer genuinely robust information security suggestions.

Each approach has its pros and cons, and each of these three testing approaches can yield specific objectives, but there are tradeoffs with each. For instance, theoretically, with black box testing, this would be ideal since the tester puts themselves in a hacker’s position with the same level of knowledge, which is essentially nothing. However, allowing more access can be a significant time-saver since pen testers can quickly get to the root of any problems since they have internal knowledge.

Speed, efficiency, and coverage also are considerations. Black box testing is the fastest, but without internal knowledge, vulnerabilities can be overlooked in a risk assessment that a cybercriminal might find. White box testing takes the longest, but it is a fully comprehensive form of penetration testing that allows the ability to truly vet out an organization’s internal network and security system, enabling pentesting to eliminate false positives.

How Will My Business Benefit From Penetration Testing Services?

Are you ready to receive an honest security assessment? RedTeam Security has been helping our clients eliminate cybersecurity vulnerabilities and threats since 2008. Whether you’re simply looking to implement stronger security measures or beef up your current security program, our various testing methods can help you achieve your objective. Our team holds many professional certifications, including CISSP, OSWP, CPT, CASS, CSSA, and OSCP.

Our penetration testers will thoroughly examine your technology and physical environments and pinpoint any human weaknesses in your operational protocols. About 80% of our penetration testing is manual testing, with 20% being automated. Our vigorous testing processes and attack simulations will uncover any vulnerabilities to ensure you can plug any security holes.

You want to maintain your reputation as a reliable and trustworthy organization or business. Employing a penetration testing methodology can help you to do this.

The benefits associated with penetration testing are many:

• Provides an in-depth analysis of your current cybersecurity position.
• Gain insight into any existing vulnerabilities.
• Learn remediation strategies to reduce exposure to any identified vulnerabilities.

Along with your test results, our penetration testers will give you all of the information you need to make more informed decisions about your past, current, and potentially future security vulnerabilities that exist within the framework of your web applications. If you use open source applications, we’ll pentest weaknesses within their source code as well. We’ll help you to develop good strategies to protect all of your web applications.

How Is Penetration Testing Different From Vulnerability Assessments?

Again, vulnerability assessments refer to a system scan to uncover potential, common security issues. They’re part of the plan of a true network penetration test. The vulnerability assessment uncovers potential problems, but the pen test shows what could happen in a real-time attack against a live system.

Also, trained and experienced security experts will interpret these assessments and tests’ results, so an organization doesn’t have to worry that they really don’t understand the report they get or how to handle any issues.

It’s the difference between reading about what could happen and seeing what happens. Also, the vulnerability scan will generally only uncover technical issues and not any threats from the human side of managing security.

What Is Tested In A Web App Pen Test? 

Configuration Management

Comprehending the deployed configuration of your server/infrastructure hosting your web applications is nearly as critical as testing the application itself. After all, an application chain is only as strong as its weakest link, and you can be rest assured those with non-honorable intentions will be seeking these weak points to launch cyberattacks or gain access to your valuable data. Application platforms are wide and varied, but some key platform configuration errors have the ability to compromise your web application in the same way an unsecured application can compromise your web server (insecure HTTP methods, old/backup files).

Example testing includes: TLS Security, Database Listeners, File Extension Handling, and Cross-Site Tracing.

Authentication Testing

Authentication is the process of attempting to verify the digital identity of the sender of a communication. The most common example of this is the logon process. Any weak point in this process can result in a massive data breach if you’re not careful. As a step in our pentesting methodology, we test the authentication schema. Once we do so, it enlightens us to see how your current authentication process works and then use this information to try to circumvent the authentication mechanisms. Any weaknesses identified in this step can be effectively remedied to prevent bad actors from passing authentication steps to access your sensitive information.

Example testing includes: Brute Force Testing, User Enumeration, Transport Layer Security.

Session Management

Session Management is defined as the set of all controls governing the stateful interaction between a user and the web application they are interacting with. In general, this covers anything from how user authentication is carried out to what happens when the user logs out of your web application.

Example testing includes: Session Fixation, Cross Site Request Forgery, Cookie Management, and Session Timeout.

Authorization Testing

Authorization Testing is the part of our methodology that involves understanding how your authorization process works and using that information to circumvent the authorization mechanism. Since authorization is the process that comes after successful authentication, the pen tester will verify this point after he/she holds valid credentials that align with a well-defined set of roles and privileges. If not, our testers will determine where any lapses are in this part of your security posture and identify how to fix any weaknesses or discrepancies found.

Example testing includes: Directory Traversal, Privilege Escalation, and Bypassing Authorization Controls.

Data Input Validation

One of the most common web application security weaknesses is the failure to properly validate input coming from the client or from the environment before using it. This particular weakness is one of the primary causes of all of the major vulnerabilities present in web applications. This includes cross-site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.

Example tests include: Cross-Site Scripting, SQL Injection, OS Commanding, and Server Side Injection.

Denial-of-Service (Optional)

A denial of service (DoS) attack is when a bad actor attempts to make a web application (or other important resources) unavailable to legitimate users. Traditionally, DoS attacks have been network-based. For example, a person with malicious intentions wants to flood a target machine with enough traffic to render it incapable of servicing legitimate users. However, there are other types of vulnerabilities present at the application level that can allow a malicious user to make certain functionality unavailable, which can put a significant damper on day-to-day operations or transactions (not to mention frustrate legitimate users or customers).

Typically, these problems are caused by bugs in the application and are often triggered by malicious or unexpected user input. This phase of our testing will put an emphasis on application layer attacks against availability that can be launched by just one malicious user on a single machine.

We recognize not all of our clients will have an appetite for DoS testing and, if this is the case, it may not be a component of each and every penetration test we perform. This is a step we’ll discuss with you to determine if this portion of testing would provide value to you.

Web / API Services

Web services have certain elements of exposure just like any other type of protocol or service. What is different is web services can be used on HTTP, FTP, SMTP, or MQ, among other transport protocols. As a result, we’ll look for vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure, and leakage, but web services also have unique XML/parser related vulnerabilities.

Example tests include: Information Gathering, Fuzzing, and Replay Testing.

How Long Does Network Penetration Testing Take?

Naturally, businesses will want to know how long their test will take. Most testing projects last between two to six weeks. The complexity and location of the facility and sensitivity of the information will determine the schedule. Testing a one-doctor medical office won’t usually take as long as working with a global enterprise. Of course, the time the test takes may also depend upon any weaknesses or vulnerabilities uncovered and the sensitivity of the information that the security system should protect. After scoping the project, the testing team can offer a detailed estimate. With that said, after scoping the project and conducting an evaluation, our testing team can propose a detailed schedule estimate before any testing work begins.

What Are The Threats Facing My Wireless Network?

Most organizations today have some form of wireless network, which offers convenience and brings additional security risks that need to be addressed to protect sensitive data. While real-world physical security breaches require attackers to be on-site to gain physical access, wireless networks can be compromised remotely. 

Another threat to wireless network security is assuming that enabling wireless connectivity within an organization is the same as deploying a wireless network. The differences in these tasks often lead to improperly configured environments which can impact employees’ productivity, network security, or data present in the environment. This makes wireless access points an easy attack vector for attackers to gain access to your network.

How Much Does Penetration Testing Cost?

As with time estimates, the cost of pen tests will depend upon the organization’s nature, client expectations, and other factors. Our security team can conduct a quick, painless scoping process to provide both time and cost estimates.

Some factors that may impact the overall cost include the number of live IP addresses, type of applications, overall data sensitivity, kind of test, etc. Generally, a white box test costs more than a black box test, but it may produce more valuable information in some cases.

Some security companies advertise a flat rate for their projects. Still, those promises suggest they’re offering the same off-the-shelf service to a small business as they are to an enterprise, which doesn’t indicate that anybody will get exactly what they need or pay what they should.

What is Physical Penetration Testing?

Physical pentesting simulates real-world scenarios where criminals attempt to compromise your physical security barriers with the intent to access your buildings, systems, and even your employees’ knowledge.

Our physical pentesting methodology is comprised of several phases and each and every test is conducted consistently using globally accepted and industry-standard frameworks. To ensure a sound and comprehensive physical security test, RedTeam leverages industry-standard frameworks as a foundation for carrying out penetration tests. At a minimum, the underlying framework is based on the NIST Special Publication 800 Series guidance and OSSTMM but goes beyond the initial framework itself.

RedTeam’s expert pentesters will carefully examine both your physical surroundings and internal environment to identify potential weaknesses. We’ll also spot any potential vulnerabilities that may exist in your established security controls so you can employ additional countermeasures.

How Much Does Physical Penetration Testing Cost?

Naturally, businesses need to know how much they will pay for their security project. Some websites offer flat rates for physical pen testing. Sadly, that’s a clear sign that the company probably won’t tailor their plan to the business. For example, a small clinic may keep private patient records they need to protect; however, the test probably won’t take as long or involve as many variables as the pen testing required for a global financial company.

RedTeam Security will do a quick, online scoping of the project to determine the price. Of course, time, travel, and other factors will determine the final cost. Take a look at the free online scoping process to request a personalized price quote.

Why Is Physical Penetration Testing Important? 

When people think of cybersecurity, they often turn an eye to areas such as computers, networks, web applications, mobile, and IoT (Internet of Things). All important areas to firmly secure, however, when developing an overall cybersecurity strategy, sometimes organizations get caught up in their tech and inadvertently overlook their physical security. Performing physical penetration testing is essential to ensure your security plan is robust and able to withstand bad actors from infiltrating and exploiting your business.

RedTeam Security understands the need to ensure your physical security barriers can withstand attempts made by these bad actors to gain access. Our experienced penetration testers are highly skilled at identifying any physical vulnerabilities in your organization’s physical defenses.

Investing in physical penetration testing comes with the benefit of exposing any weak physical barriers that might be present, along with enabling you to understand any risks you face and the damage attackers can cause should they breach your physical barriers. When our experienced pentesters set out to perform physical penetration testing, we do so intending to expose any lapses, weaknesses, or hidden vulnerabilities in your organization’s physical goals. Other primary benefits of physical penetration testing include:

• An experienced eye to examine all aspects of your physical security methods to determine any potential risks – sometimes, it takes an objective eye that isn’t overly familiar with your facility to detect weaknesses.
• Ensure your physical controls, including locks, cameras, sensors, and barriers, are intact and free of any flaws.
• Make certain your physical security defenses are as strong as they can be – if we detect any weaknesses, we’ll highlight these and address how they can be remediated.
• Identify any human weaknesses in your organization and help develop strategies to integrate security awareness training as a part of your security posture.
• Develop more robust overall security policies to ensure individuals with ill intent don’t successfully launch physical or cyber attacks against your organization.

Even if you invest a large portion of your budget to strengthening your digital defenses, all can be for naught if a criminal can easily access your facility to steal equipment, data, or any of your other valuable assets. RedTeam Security’s pentesters are extremely thorough and have years of experience in detecting even the most obscure weaknesses. We’ll flesh out any vulnerabilities so you can rest assure no attackers will be able to exploit you.

What Are The Risks Associated With Not Performing Physical Penetration Testing?

Many companies decide if they add some heavy-duty locks, security cameras, and an alarm system, it’s enough to protect their facilities. What they don’t consider are the information security risks associated with social engineering, phishing, poor authentication processes at entry points, and other less obvious access points attackers will target. Any breaches made through these attack vectors will be expensive.

The real costs of not doing physical penetration testing can be quite high. Aside from the risk of breached data from a lapse in physical security (e.g. theft of laptops, valuable papers stolen, or other asset losses), you’ll want to weigh out additional costs when calculating your overall security assessment budget.

• Hefty fines and legal fees. If attackers succeed and breach your organization, if your organization is found to be non-compliant, this can be costly.
• Damage to reputation. Once the public hears about data breaches of any kind that puts PII at risk, it can put a large blight on your professional reputation or brand name.
• Impact on future profits. If you lose public trust, this will have a severe impact on future profits; not to mention it’s usually costly to regain consumer confidence.
• Money associated with exploits. A big trend for attackers is to steal assets or data and then demand ransom for its exchange.
• Remediation costs. After an incident, an organization has to fix the problems. Either way, you’re going to need to budget for physical security. It’s better to be proactive and prevent existing problems before an incident occurs.

While the immediate costs associated with any kind of incident response are usually easy to calculate (and they can go into millions depending on the size of the data breach and if any violations of compliance, such as HIPAA, have occurred). What many organizations don’t realize there are many intangible costs involved as well if good security posture is not achieved. These also should be factored into the real cost of not doing physical penetration testing.

Unfortunately, humans are the weakest link in security strategies and social engineering attacks happen more often than we’d think. People often inadvertently give out enough information for bad actors to be able to pass any validation and authentication processes through trickery by individuals with ill intent. Any information we obtain from the people we contact will be used to build a better plan as the physical penetration testing process progresses.

What Tools Do Physical Penetration Testers Use?

RedTeam Security's team of security consultants will use the same kinds of tools that criminals use. These can range from electronic devices and apps that can pick up information from wireless connections to lock picking sets. In some cases, the security consultants may simply use diplomacy to try to entice employees to unwittingly cooperate with their simulated attack.

For example, businesses may have decent physical security against such outside threats as lock picking; however, at least one-third of companies suffer data breaches or other issues because of insider-initiated crimes. In other words, the problem starts with employees who gain access to data centers with their credentials but then use that access for criminal or malicious reasons.

In other cases, bad actors may convince well-intentioned employees to let them in by pretending to be another employee. They might even gain access to a meeting room and simply pick up credentials or information left discarded in the trash.

(Article from RedTeam Security)