Back to List

Penetrating Testing - What It Is, The Types, and When to Do It

Matthew Thomson Matthew Thomson  |  
Mar 16, 2021
 
About the author: Matthew Thomson is a principal security consultant at Skyline Technologies – a Core BTS Company.  He has 13 years of security experience, has performed penetration testing for the NSA, was the security leader at a local credit union, and he is a certified pen tester.
 

What Is Pen Testing?

Pen testing is short for penetration testing. At Skyline, pen testing involves simulating real-world attacks against a businesses’ web applications, mobile, and other non-web applications, networks and devices, cloud environments, end-user devices, security processes (e.g., security team response), people (i.e., social engineering), or a combination of these resources.
 

What is the Purpose of Pen Testing?

The purpose of pen testing is to test the effectiveness of security controls that have been put in place for protection. Any shortfalls in these controls are provided in a report back to the business so they can review and prioritize whether to accept, transfer, or mitigate the risks caused by the findings.
 

Who Does Pen Testing?

Pen testing is often carried out by a team of security professionals. Acting as ethical hackers, the team uses strategy and experience to find and report on security and privacy vulnerabilities.
 

3 Types of a Pen Test

 

1. Black Box Testing

With black box testing, the team will try to break into a client’s network with no prior “inside knowledge”. This is like trying to break into a house with no prior knowledge of the floor plan, security systems, whether they have a dog, the people currently living at the residence, etc. Black box testing is more expensive because it takes longer than the other approaches, but it often produces more realistic results because it best mimics the process and findings of a real-world attacker.
 

2. White Box Testing

With white box testing, the pen testing team is provided complete knowledge of, and access to a client’s environment and resources. The goal of white box testing is not to try and break-in, but instead to review the resources and environment for vulnerabilities. For example, the pen testing team may review device and cloud configurations, source code, policies, procedures, etc. White box testing allows a team to explore the client environment more completely and quickly (e.g., 2-4 weeks) at the cost of insight gained by trying to break-in. 
 

3. Grey Box Testing

With grey box testing, the pen testing team is provided with “some inside knowledge” of the environment and resources. Grey box testing provides the same advantages of black box testing but allows the team to avoid the normal trial-and-error that would occur with black box testing and focus on areas of greatest risk.
 
Most commonly clients choose either a black or grey box testing approach. These give the best results, and it ultimately comes down to either time, cost, or compliance requirements for deciding which of the two to implement.
 

The Pen Test Process

Scoping

During a scoping, the pen testing team seeks to understand the business goals behind the test (e.g., the test is needed for compliance), the resources in scope for the test and those that are off limits, the business significance of these resources, the rules guiding the test, and timeframes. For example, we will identify whether business teams with resource responsibility will be notified in advance. In addition, the client may want testing to be done outside of normal business hours for any technique that has the potential to be intrusive or cause a degradation in system or network performance. In addition, we determine the level of “inside knowledge” the pen testing team will be provided.
 

Preparation

After the scoping, the team will work with the client to prepare for the pen testing exercise. Testing dates and times will be established, client resource teams may be notified, testing devices installed, background information reviewed (in the case of white or gray box testing), etc.
 

Execution

The pen testing team will go about executing tests and recording results.
 

Review

The pen testing team will meet with the client to review the results of the test. A prioritized list of vulnerabilities will be presented along with mitigation recommendations. Finally, documentation will be provided to the client for use in any audits.
 

Risk Analysis

Risk is often described as consisting of likelihood and impact. A pen test can help a business establish the likelihood that an asset of value, such as personal information or intellectual property, can be compromised. The pen testers cannot fully determine the impact that the compromise of a given resource will have on the business – nor the cost of removing, reducing, transferring, or accepting the risk. During this phase, our pen testers work with the client to assess impact, assign risk ratings to the different vulnerabilities, establish project plans to address significant risk items, and help our client formulate associated budgets.
 

What Are Other Types of Security Testing?

The purpose of security testing is to discover vulnerabilities in applications or networks that can be exploited by an attacker. Pen testing is just one type of security testing. In addition to pen testing, a business may also conduct periodic or continual automated vulnerability scanning within their development, pre-production, and production environments. With vulnerability scanning, tools are run to identify and collect vulnerabilities which are then prioritized and addressed. 
 
In the custom software space, security testing may also be integrated into the DevOps pipeline. For example, an application and the cloud environment in which it is hosted may be scanned as part of the deployment process, and the deployment will be canceled if high risk vulnerabilities are discovered.
 
A business may also conduct a controls review audit. This is where policies and procedures are reviewed, and then the business provides the testers with samples for the test/audit team to gauge the maturity of the organization’s cybersecurity program.
 

Should You Pen Test Every Application and Network?

Normally, we recommend implementing a security testing plan based upon resource risk and business value. Once resource risk has been analyzed (both likelihood and impact), it makes sense to spend more time on those resources at greater risk. Lighter weight and less costly pen testing can be done for lower risk assets.
 
It ultimately comes down to cost and time constraints. A good pen testing team will attempt to test as much of the environment as possible within the time provided.
 

One Thing to Keep in Mind When Considering a Pen Test

Don’t jump to a pen test as your first security test. Instead, invest your time and resources into vulnerability scans and controls review audits. If you start with a penetration test, you will be paying a lot more than necessary for a team to find low hanging fruit. Pen tests should come when your security program is more mature and you want to find gaps in your controls and processes that the automated scanning tools won’t easily find.
 
If you’d like to learn more about what security test is right for your organization, feel free to contact us.
 
Security

 

Love our Blogs?

Sign up to get notified of new Skyline posts.

 


Related Content


Blog Article
Viewing Application Security from a Risk Perspective
Brian MorganBrian Morgan  |  
Dec 08, 2020
In the world of custom application development, it can be challenging to compare security safeguards and value-enhancing business functionality when prioritizing a backlog. Though the product owner and the scrum team often talk about risk, experience has shown that a lack of a common context and...
Blog Article
6 Practical Data Protection Features in SQL Server (Pros & Cons)
Tony RopsonTony Ropson  |  
Aug 25, 2020
About the author: Tony Ropson has been developing solutions in .Net and SQL Service since 2011. He holds an Azure Data Engineer Associate certification from Microsoft.   At Skyline, we have a moral (and oftentimes legal) responsibility to build software and data solutions that can properly...
Blog Article
Mitigating Security Challenges in the Professional Services Supply Chain
Brian MorganBrian Morgan  |  
Jun 02, 2020
In this blog, Brian Morgan, Director of Security at Skyline Technologies, explores how to protect your business from cybersecurity threats in the professional services supply chain. Click here to view the full webinar.   Cybersecurity threats are a mounting concern for the professional...
Blog Article
“Bye, Bye, Bye” to AES in ECB Mode
Tony RopsonTony Ropson  |  
May 05, 2020
Early last month, a group operating out of the University of Toronto released a report highlighting some of the security flaws found in the popular online meeting app Zoom. Their report highlighted a few concerning things. However, the one area I want to highlight is the type of encryption...
Blog Article
Website Security: 3 Steps to Protect Your Users’ Data from Attack
Nick KwiecienNick Kwiecien  |  
Jul 23, 2019
As consumers increasingly care about keeping their information safe and secure, we developers need to make security our mission. Especially in today’s world where there seems to be a new content management system out every five minutes, it’s important to make sure your site and its...