When you say “I want a pen test,” what exactly do you mean?
According to Wikipedia, “A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system, performed to evaluate the security of the system” with the goal of informing the system owner of both weaknesses and strengths. Typically, penetration tests are performed by an external security evaluation team with a range of knowledge, skills and tools to assist in the process. The results of the penetration test are most often used to guide remediation, repairing the weaknesses, and to develop a protection strategy.
At Outpost24, we regularly conduct penetration tests and help our clients across different sectors (banking, telco, government etc) understand the type of testing they need to meet their goals. To aid that discussion, we can use a diagram like this one inspired by Patrick Thomas @coffeetocode.
In the diagram, the goal is different for each type of test, while the inputs have a range of options. Scope, on the x-axis, could be thought of as how deep the investigation should probe. Details, on the y-axis is related to how much advanced information or access is given to the “attacker” in the simulation. Looking at each region in more detail:
This type of pen test is focused on proving that a set of technical controls are in place and operating. With this “audit,” organizations can report regulatory obligations (such as HIPAA or Sarbanes-Oxley) or internal policy obligations (such as CIS controls.)
This type of pen test is focused on discovering defects that can be exploited to attack the system. The goal in these tests is to provide detailed information about weaknesses that can be prioritized for remediation to lower the risk profile of the system under test. Note that the “-box” testing shown in the diagram indicates how much knowledge of the internal structure is divulged. Blackbox testing provides virtually no information about the system while whitebox testing or code review provides complete details about internal structure, algorithms, or actual source code. Greybox falls in between these extremes, with some detail about the system under test yet with the tests proceeding from an external perspective.
This type of pen testing is focused on exercising security people, processes and technologies in a realistic way with the goal of ensuring that the systems can be protected. Further, if the attack is successful, that the processes to contain or recover from the attack are exercised and operating correctly. Many times, the adversary (penetration testers) are simulating an attack unbeknownst to the defenders (the organization’s operations and security teams.)
Note that there is some overlap. For example, the “scan” (one time assessment) is typically performed with automated scanning tools to produce a report that guides remediation. Similarly, blackbox testing may be used for multiple purposes depending on your organization’s needs.
It’s also important to recognize that a “scan” (one-time assessment) can have a low cost if it is highly automated with scanning tools. Similarly, tests that have substantial manpower requirements (such as a code review or red team) will have a higher cost. In our experience the cost of the penetration test increases the farther the desired test is from the origin in the diagram.
What type of pen test do you need?
With the range of options available, it’s useful for the Outpost24 team to understand what your goals are. Whether you need a management report to show that you have considered system security on an annual basis, or if you want to prove that your operations and security teams are ready for any potential attack, we can structure a penetration test to meet your needs.
And by providing the test results along with access to the knowledgeable staff and tools used to conduct the tests, we can help your organization advance in your journey to more mature security processes and lower business risk. And that moves your organization a step closer to the goal that all our clients share – avoiding disruption to their business because of a cyber-security attack.