Offensive testing is a great way to ensure that your company is not just theoretically safe from cyber-attacks. Find out why testing is recommended and what different testing types exist.
Content:
When talking about offensive security, "pentesting" is an often-used method. It fully translates to "penetration testing" (PT) and refers to the act of a security consultant assessing your systems and software security by actively conducting controlled attacks to discover weaknesses and prove vulnerabilities.
There are multiple types of penetration testing according to the specific needs of your organization.
Generally, the web and mobile application penetration test’s objectives are to provide a realistic example of what an attacker could accomplish if targeting these applications. Fundamentally, the pentester’s efforts are focused on identifying security gaps, and vulnerabilities, circumventing security, and business logic controls and launching authorized exploits against the in-scope environment.
Duration: A somewhat general penetration test for one application can take up to seven working days, while a mobile application penetration test can take from three to five working days.
Infrastructure penetration tests usually are focused on evaluating the exposure of a systems’ services and security controls that directly correlate to threats and risks that may compromise the so-called "CIA triad" of proprietary information that resides on your own network (confidentiality, integrity and availability). The tester would try to gain an initial foothold on your network by breaching external infrastructure assets.
Duration: A typical external pentest can take from five to seven working days, depending on the number and type of assets.
If application and infrastructure hacking are the bread and butter, then social engineering is the oven. Social engineering is often referred to as a manipulation technique that exploits human error to gain private information, access, or valuables. In hacking, however, social engineering is a deep and endless topic. Did you know that 88% of data breaches nowadays begin with a social engineering attack (source: PurpleSec)?
Social engineering will always be relevant to attackers as long as people exist. There are many types of social engineering attacks such as vishing, smishing, phishing, spear-phishing, physical SE, and many more.
Duration: A typical social engineering engagement can take anywhere in the range from a day to a couple of months, depending on the type of limitations, objectives, scope, and size of the company.
Often people make the innocent mistake of not differentiating between a vulnerability and penetration testing. The main difference is that the security consultant will actively try to exploit vulnerabilities during a penetration test, while in a vulnerability assessment, the consultant will only discover vulnerabilities and categorize them without trying to practically prove the validity and actual impact that active exploitation techniques offer as a result.
Vulnerability assessments are a good choice for organizations who had already done a penetration test and after a while want to stay up to date with their current configuration state.
Many companies underestimate how fast hacking technologies are developing and therefore don't test often enough. Customers usually conduct a penetration test once a year, which can provide a false sense of security and could lead to a potential compromise of data/systems.
Therefore, any change in configuration, the addition of new software, code or hardware, business logic, functionalities, etc., requires a penetration test to confirm that the new implementation does not introduce new risks to your organization.
The good news is, you don’t really need to test the whole web application when such tests have been done prior to the new integration. You can and should define your scope of work and be specific about what to needs to be tested, the objectives of the tests, and what you need to achieve as a result of those tests.
Competent Cyber Security consultants can advise you on what’s best for your business. In fact, I would personally recommend to first discuss your business case and the roadmap before committing to specific tests and services. Many times, clients come thinking they need service “A” but with the right questions from seasoned consultants, they might realize that service "B & C" are much more fitting for their specific infrastructure, company culture and industry.
Every consultant is trained to work with a methodology for testing. Each penetration test type has its own methodology due to the differences in technologies, configurations, code, expected results, etc. The methodology allows the consultant to follow a path of testing that helps them track their progress to not miss any tests that are applicable to the defined scope of work.
For a first overview of standards and methodologies, you can inform yourself about topics on these pages (pages are in English):
This also helps you to gain a better understanding of which service provider fits best to your company requirements.
The business side is also tricky. You need to understand the type of contracts that different consultancy firms work with, for example ad hoc or framed contracts. You should request NDAs if you think it is appropriate for your data to be further protected. Additionally, it is a good practice to explicitly request data destruction from the pentesting service provider after the successful completion of a project as well as a submitted final report.
Our Cyber Security experts at DIGITALL offer numerous services to test and strengthen your organization's security measures and strategy. Take a look at our portfolio and contact us for a first, free consultation.