March 16, 2021

Penetration Testing – What It Is, The Types, and When to Do It

Post by: Matthew Thomson

Matthew Thomson is a principal security consultant at Core BTS. He has 13 years of security experience, has performed penetration testing for the NSA, was the security leader at a local credit union, and he is a certified pen tester.

What Is Pen Testing?

Pen testing is short for penetration testing. At Core, pen testing involves simulating real-world attacks against a businesses’ web applications, mobile, and other non-web applications, networks and devices, cloud environments, end-user devices, security processes (e.g., security team response), people (i.e., social engineering), or a combination of these resources.

What is the Purpose of Pen Testing?

The purpose of pen testing is to test the effectiveness of security controls that have been put in place for protection. Any shortfalls in these controls are provided in a report back to the business so they can review and prioritize whether to accept, transfer, or mitigate the risks caused by the findings.

Who Does Pen Testing?

Pen testing is often carried out by a team of security professionals. Acting as ethical hackers, the team uses strategy and experience to find and report on security and privacy vulnerabilities.

3 Types of a Pen Test

1. Black Box Testing
With black box testing, the team will try to break into a client’s network with no prior “inside knowledge”. This is like trying to break into a house with no prior knowledge of the floor plan, security systems, whether they have a dog, the people currently living at the residence, etc. Black box testing is more expensive because it takes longer than the other approaches, but it often produces more realistic results because it best mimics the process and findings of a real-world attacker.

2. White Box Testing
With white box testing, the pen testing team is provided complete knowledge of, and access to a client’s environment and resources. The goal of white box testing is not to try and break-in, but instead to review the resources and environment for vulnerabilities. For example, the pen testing team may review device and cloud configurations, source code, policies, procedures, etc. White box testing allows a team to explore the client environment more completely and quickly (e.g., 2-4 weeks) at the cost of insight gained by trying to break-in. 

3. Grey Box Testing
With grey box testing, the pen testing team is provided with “some inside knowledge” of the environment and resources. Grey box testing provides the same advantages of black box testing but allows the team to avoid the normal trial-and-error that would occur with black box testing and focus on areas of greatest risk.

Most commonly clients choose either a black or grey box testing approach. These give the best results, and it ultimately comes down to either time, cost, or compliance requirements for deciding which of the two to implement.

The Pen Test Process

Scoping
During a scoping, the pen testing team seeks to understand the business goals behind the test (e.g., the test is needed for compliance), the resources in scope for the test and those that are off limits, the business significance of these resources, the rules guiding the test, and timeframes. For example, we will identify whether business teams with resource responsibility will be notified in advance. In addition, the client may want testing to be done outside of normal business hours for any technique that has the potential to be intrusive or cause a degradation in system or network performance. In addition, we determine the level of “inside knowledge” the pen testing team will be provided.

Preparation
After the scoping, the team will work with the client to prepare for the pen testing exercise. Testing dates and times will be established, client resource teams may be notified, testing devices installed, background information reviewed (in the case of white or gray box testing), etc.

Execution
The pen testing team will go about executing tests and recording results.

Review
The pen testing team will meet with the client to review the results of the test. A prioritized list of vulnerabilities will be presented along with mitigation recommendations. Finally, documentation will be provided to the client for use in any audits.

Risk Analysis
Risk is often described as consisting of likelihood and impact. A pen test can help a business establish the likelihood that an asset of value, such as personal information or intellectual property, can be compromised. The pen testers cannot fully determine the impact that the compromise of a given resource will have on the business – nor the cost of removing, reducing, transferring, or accepting the risk. During this phase, our pen testers work with the client to assess impact, assign risk ratings to the different vulnerabilities, establish project plans to address significant risk items, and help our client formulate associated budgets.

What Are Other Types of Security Testing?

The purpose of security testing is to discover vulnerabilities in applications or networks that can be exploited by an attacker. Pen testing is just one type of security testing. In addition to pen testing, a business may also conduct periodic or continual automated vulnerability scanning within their development, pre-production, and production environments. With vulnerability scanning, tools are run to identify and collect vulnerabilities which are then prioritized and addressed. 

In the custom software space, security testing may also be integrated into the DevOps pipeline. For example, an application and the cloud environment in which it is hosted may be scanned as part of the deployment process, and the deployment will be canceled if high risk vulnerabilities are discovered.

A business may also conduct a controls review audit. This is where policies and procedures are reviewed, and then the business provides the testers with samples for the test/audit team to gauge the maturity of the organization’s cybersecurity program.

Should You Pen Test Every Application and Network?

Normally, we recommend implementing a security testing plan based upon resource risk and business value. Once resource risk has been analyzed (both likelihood and impact), it makes sense to spend more time on those resources at greater risk. Lighter weight and less costly pen testing can be done for lower risk assets.

It ultimately comes down to cost and time constraints. A good pen testing team will attempt to test as much of the environment as possible within the time provided.

One Thing to Keep in Mind When Considering a Pen Test

Don’t jump to a pen test as your first security test. Instead, invest your time and resources into vulnerability scans and controls review audits. If you start with a penetration test, you will be paying a lot more than necessary for a team to find low hanging fruit. Pen tests should come when your security program is more mature and you want to find gaps in your controls and processes that the automated scanning tools won’t easily find.

If you’d like to learn more about what security test is right for your organization, feel free to contact us.

New call-to-action

Subscribe to our Newsletter

Stay informed on the latest technology news and trends

Relevant Insights

Should You Disrupt Yourself to Accelerate Digital Transformation?

It has been interesting to watch Microsoft transition from a company that makes its money via licensing to one that...

Cybersecurity Myth Busted: Tools Are the Solution

When thinking about security, people often gravitate towards implementing various security tools, solutions, or products. If you bring up a...

Time to Reconsider MP-BGP EVPN for Your Datacenter Network?

VxLAN was defined in 2014 by RFC 7348 and has been used as a component in several SDN (software defined...
X