Pentesting: The Missing Piece in Your Security Puzzle

Written by Alex Vakulov.

Although not a recent invention, pentesting is a tool that is not understood by many in terms of when it is most effective and necessary. For some organizations, penetration testing is a means of responding to cyber-attacks; for others, it is a prevention mechanism.

Actually, pentests are neither a means of protection nor a means of prevention. Penetration testing is a tool for evaluating your security posture. It is a way to ensure the protection system is built correctly.

Who needs pentesting?

First, there are numerous companies that, by law, must frequently assess the adequacy of their security measures. There are also international standards recommending regular penetration testing.

Companies that do not have legal requirements can conduct a pentest based on whether they operate data, the loss of which would have critical consequences for their business.

If your company's production lines have almost no access to the Internet or you process data that is easy to recover and its loss will not cause severe damage, then in this case, it is not necessary to invite pentesters. It is always worth remembering that this service is not cheap.

At the same time, a small startup that works with medical data must test its security level as medical data is a highly confidential type of information.

Can a vulnerability scanner replace penetration testing?

Vulnerability scanning is the beginning of a penetration test. You scan your systems and see what can become an entry point for intruders. The scanner generates a report stating, for example, that one hundred hosts have been scanned, two have potential vulnerabilities, and something needs to be done here. And that is all.

The scanner does not perform penetration testing. It simply collects statistics. It reports the presence of vulnerabilities and generates a report that lists potential threats. The pentester, having finished scanning, begins to develop the attack further. The scanner is a necessary thing, but this is the very beginning. It does not replace a pentest.

It is worth noting that scanners that use artificial intelligence have appeared. They scan and, based on the results, launch pre-planned exploits. Using the results of the exploit's performance, they determine the next steps and how to progress with the attack. There are still very few such products on the market, but they have great potential.

Infosec audit vs. bug bounty

An audit is a check that your system meets a certain standard. Auditors can check, for example, the presence of firewalls or password policies. These checks are quite different from a penetration test, as the latter assesses the actual rather than the potential security level.

The company's participation in the bug bounty program is like doing a pentest. Companies run a bug bounty program and offer rewards to anyone who hacks their system or specific elements of it.

Today, bug bounties are used very limitedly. First, many people always want to participate, and there is a risk that your infrastructure will not withstand a large influx of hackers. Next, there is a chance that an unknown, but highly experienced pentester, having found a critical vulnerability, will not immediately disclose it to you but exploit it or sell it to someone. Some companies only allow a select group of experts to participate in their bug bounty programs.

Another critical difference: while bug bounties generally focus on identifying vulnerabilities in specific software, pentesting is a broader service aiming to uncover vulnerabilities in an organization's infrastructure.

Peculiarities of pentests

A contract known as a service-level agreement (SLA) is typically established with the pentesting provider. The scope of testing must be thoroughly detailed. You should specify which systems will be tested, when they will be tested, and how they will be tested. Testing beyond the agreed-upon scope is not permitted.

If you have agreed to test a specific IP range, you should only deal with that range. Even if the test reveals that the company has more IP addresses, and even if it operates another data center in another country and there are vulnerabilities there too, those IPs should not be touched.

There are many examples where even a simple port scan outside the agreed range was considered an incident. An investigation was started, and the perpetrators were brought to face punishment.

During a penetration test, there may be times when you assess the system's ability to handle a high level of traffic. If you host your service at a data center, you must coordinate with the center and inform them of your intent to conduct such testing. The center will then make necessary adjustments to its equipment. Amazon, Google, and other cloud providers specify on their websites that you can test your systems as you like, just do not disturb your neighbors out of the blue.

What methods and standards of pentesting are in demand?

There are multiple standards that pertain to the field of pentesting. One example is the standard for testing web applications. Additionally, there is a widely recognized international standard called PTES that outlines a protocol for conducting pentests. It covers various stages of pentesting, such as threat modeling, post-exploitation, etc.

Pentest providers usually discuss with the customer the methodology used to conduct testing. There are white-, gray- and back-box pentests. "Black box" is when the customer does not reveal anything about his infrastructure; "white" - is when pentesters are given access to the source code and can also audit the source code. And finally, the "grey box" is something in between when customers provide some information about the infrastructure.

A "black box" approach is often employed since hackers are typically external users who have no knowledge of the company and are attempting to gain unauthorized access.

How long do pentests last, and how often should they be carried out?

On average, the pentest lasts a month, sometimes longer. If they last for several months, it is already a Red Teaming. Red teaming is more like a cyber exercise. The service provider discusses the game's rules in advance and then tries to get into the system by all available means. Red teaming is less common if you compare it to pentesting. More often, it is the pentest of a particular system that is ordered. For example, you launch a new web portal and want to test it.

In terms of frequency, it is recommended to run penetration testing after every noticeable change in the infrastructure. How often these changes occur depends on your business processes. Usually, full-fledged pentests are done every six months or once a year - but agile businesses should consider running continuous pentesting if they are deploying at a faster pace. The rest of the time, after each minor configuration change, you can use scanners. Scans are cheaper and reveal basic problems.

What is being checked the most?

Most clients want to test websites, apps, portals, and everything available on the web. Some want to check how secure backups are. There are significantly fewer requests for internal penetration tests. This is likely due to industry-specific factors. Penetration testers commonly work with large corporations with established security practices, well-trained staff, and the ability to handle insider threats independently. These companies have the necessary technical resources to address data breaches. However, they often cannot comprehend what occurs beyond their organization and hire penetration testers to assess those external vulnerabilities.

Can you use penetration reports to train your own infosec professionals?

Some companies perceive penetration testing as an opportunity to learn something and determine whether they are doing everything right. The security team members often perceive the pentest as an exam that must be passed, or they will be punished. They may try to minimize the number of items that get into the report. A lot depends on how mature the information security processes in the company are and what kind of people work there.

Pentest does not provide great opportunities in terms of learning. During the pentest, specific problems are highlighted, but it is up to the customer's specialists to draw conclusions from what is written in the report. If they do, then they will learn something. Otherwise, nothing will change. They can fix current vulnerabilities, but new ones will appear in a year.

How to choose a penetration testing company?

The most important factor to consider is the reputation of the company and its experts. Penetration testers are individuals who are granted access to your infrastructure. It is crucial to ensure that in the event of a successful attack, they will not disclose any data to third parties. Of course, the relationship is governed by a detailed contract that addresses all aspects of the arrangement, but reputation is a key consideration.

Conclusion

Pentesting is a valuable tool for organizations to evaluate their security posture, but it is essential to understand its purpose and limitations. While vulnerability scanning is a crucial component of the pentesting process, it cannot replace a comprehensive pentest. Companies should establish a detailed service-level agreement with their pentesting firm and ensure they adhere to the agreed-upon scope of testing. Additionally, pentesting frequency should be based on business processes and noticeable changes in infrastructure. Reputation should be a primary consideration when choosing a pentesting company. Overall, pentesting provides organizations with the necessary insights to improve their security practices and prevent potential cyber threats.

About the Author

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He is writing for numerous security-related publications sharing his security experience.