A beginner’s guide to penetration testing

Written by Joseph Poppy on 08/06/2018

An introduction to penetration testing

The digital world has become a dangerous place. It’s like the Wild West (the movie kind, not the real kind, which was decidedly less wild than it’s portrayed), with outlaws out to do you harm and make off with your precious data. Fortunately, like any good western, there are also honour-bound gun slingers seeking to bring law, order and – most importantly – security to the digital landscape.

Here at Bulletproof, we offer a wide range of services. Chief among them is our penetration testing service (also known as pen testing, but that sounds like we sit around making sure your stationary is up to scratch). Our penetration testers are accredited by industry-recognised bodies such as Crest and Tigerscheme, which is all well and good, but what exactly is a penetration test? Well, I’m glad you asked...


What is penetration testing?

Penetration testing is the use of automated tools and manual processes in an attempt to find and exploit vulnerabilities in an organisation’s systems, with the ultimate goal of gaining access to or compromising a network, website or application. As a result, you will be provided a clear picture of your cyber security posture.

Put simply, penetration testing simulates real world attacks. A penetration tester will adopt the role of a hacker and set about invading your network or attempt to breach your application(s) and, if successful, will let you know what they did and how to stop others from doing it. This approach is often referred to as white hat hacking.

Penetration Testing
There are several approaches a penetration test can take referred to as white, black or grey box testing.
White Hat Hacking

White box testing is often referred to as an authenticated test and focusses on the security of your underlying technology (all the unseen bits that make your systems work). A white box test will take place with an extensive knowledge of your IT department and infrastructure already obtained. This means the tester will have access to IP addresses, network diagrams, system configurations and even credentials. They may even set up their own admin credentials. This form of test is incredibly extensive and allows the tester to take on the role of someone within your organisation and analyse your processes as well as your systems.

Black box testing mirrors the approach a real-world hacker would take, in that no prior information regarding your infrastructure set-up is given. Through research, probing, hacking techniques (such as brute-force attacks) and even social engineering, the penetration tester will attempt to gain unauthorised access to your networks and exfiltrate data. This approach will not only provide an evaluation of your network and systems, but also the processes and people involved.

Grey box testing, as you may have guessed, lies somewhere in between white and black box testing. Testers will have some previous knowledge of your infrastructure and systems used, but not in as much detail as a white box test. The knowledge given will be agreed during the scoping of the test.


Why have a penetration test?

A penetration test will let you know precisely how secure your systems are at the time of the test, allowing you to adapt accordingly. A pen test will give you a run-down of vulnerabilities found within your network along with the relevant remediation advice. If a pen tester can compromise an app, a machine or server, then a malicious hacker can too.

It's recommended that you undergo penetration tests on at least an annual basis, as threats to cyber security are always evolving. Malicious actors are always finding new ways to breach a network or application perimeter and you need to constantly upgrade your defences. Penetration testers will be aware of all the vulnerabilities and new techniques exploited by hackers as soon as they become known.

Secure Your System

Penetration testing vs vulnerability assessments

Often, the phrase penetration test and vulnerability assessment are wrongly used interchangeably. A vulnerability assessment or VA scan is the use of an automated tool to scan a network or application for known vulnerabilities, which can subsequently be patched. The key difference is that a penetration test is a lot more involved and encompasses many other aspects, ultimately providing you with a more comprehensive overview of your security stance. This is not to say that vulnerability scan is not without value.

A penetration test may make use of an initial vulnerability scan as a starting point, to see if there are any easily exploitable flaws to work with. A pen test will go further in that it will involve brute-force attempts, code injections, social engineering and much more.

Penetration Testing vs Vulnerability Assessment
View full size (103 KB)
A penetration test may make use of an initial vulnerability scan to see if there are any easily exploitable flaws to work with.
Social Engineering

What is social engineering?

Social engineering is the process of leveraging the human aspect of your business in order to gain access to your network. The most common method of social engineering is phishing, which involves tricking users into following a malicious link in an attempt to get them to give up their credentials or download malware, usually via email.

This can often be the most effective way for a hacker to compromise your infrastructure. No matter how formidable your cybersecurity is, a user accidentally downloading malware or revealing their credentials to an unknown party can allow hackers to bypass it all.

Social engineering is a complex term for what can be a very simple approach. Consider the following example

User A works in your finance department and receives an email stating that their password is due to expire, and that they should click the provided link to reset it. If they don’t, they could be locked out of their emails, which User A feels is simply unacceptable. User A clicks the link and is directed to what appears to be the official website of your email provider. User A types in their current password and selects a new password before continuing with their work. Only the link they followed was not official at all. Instead, it was a platform designed by a hacker who now has User A’s credentials.

This type of technique has been around almost as long as email has (think of the "I am a wealthy investor from ____ I need to transfer money to the UK, please provide me with your bank details" spam). Some phishing attempts are more sophisticated than others.

Social engineering can go further than this and include face to face interaction or phone calls. This will usually be in an attempt to gain physical access to a machine or building rather than breaching your network remotely, although one can lead to the other


Network penetration test

A network penetration test is the most common and currently the most in-demand form of pen test. This is where the penetration tester tries to breach an organisation’s infrastructure. Depending on the size of the company and therefore, how many servers, devices and programmes are communicating with one another, the amount of time and resources these tests take can vary dramatically. Whilst tests can differ depending on the target(s) they tend to examine the following:

  • Firewall configurations
  • Stateful analysis testing
  • Firewall bypass possibilities
  • IPS evasion
  • DNS attacks
Network penetration test

Of course, all components will be running and reliant upon various pieces of software which will also be tested. The most common of which are:

  • Secure Shell
  • SQL Server
  • MySQL
  • Simple Mail Transfer Protocol (SMTP)
  • File Transfer Protocol
  • Outlook login pages

Depending on what your goals are, the depth of a network test can vary.


Web application penetration test

Web application penetration test

Web app or website penetration tests can be a lot more involved than a network penetration test. These tests are designed to seek out and test any vulnerabilities or weaknesses found within a website or a web-based application. Tests will vary depending on the design of the site or app and what its main function is. The sort of components that are examined are ActiveX, Silverlight, Java Applets and APIs.

The difficulty of these tests will depend largely on what scripts are being employed or how the website is built. Traditional web apps may be fairly easy, particularly if they were built with outdated software. If, however, an app includes custom code, then the job becomes that much more difficult.

A website or app penetration test is an especially good idea if it’s going to be making use of personal data or financial details, as these are the sort of things an attacker will want to go after.

Periodic tests can be combined with managed security monitoring and advanced threat management for a total protection package.

How does penetration testing work?

The pen tester will start by conducting some basic reconnaissance around your network or application. From this they should get a good idea of what your cyber make-up is like and how to best proceed.

Once they are satisfied they have enough knowledge to continue, the pen tester will begin running scans against your system to search for any vulnerabilities and test the response to intrusion.

After scanning, the pen tester will actively start probing and attempt to gain access to your network. If any vulnerabilities were discovered in the previous stages, these will be exploited. Even if none were found, the tester will have a number of other tricks and tools to employ, such as a brute-force attack. This uses a trial and error approach in an attempt to guess credentials. Using automated tools hundreds or even thousands of attempts can be made every minute to a set criterion.

If a penetration tester manages to exploit vulnerabilities or find another way to compromise your network, they will gain access to your system. From there, they will gather evidence or make agreed changes to prove that they have done so. After access has been gained (sometimes more than once through different methods), the penetration tester will set about compiling a report, listing their methodology, their level of success and giving remediation advice.

For a simplified overview, take a look at this graphic:

Penetration Test
View full size (115 KB)

Red Teaming

What does it mean to red team? A red team service, or red teaming, tests an organisation’s cyber security equipment and procedures along with their physical security. A red team will make use of automated tools, manual techniques and social engineering, with the aim of breaching your perimeter by any means or gaining physical access to your premises, and therefore, your network or data.

This expands on a penetration test by adding your physical security to the scope, which the red team will attempt to compromise using a number of creative methods. Offering a multi-layered approach for maximum impact, a red team will try just about anything to gain access to your network or offices. Once inside, they will attempt to compromise a machine or, better still, get to your server room or datacentre.

The purpose behind a red team investigation is to provide you with a detailed snapshot of your overall security posture. Red teaming also demonstrates that one of the most important, yet often overlooked aspects of cyber security, is the human one.

The approach a red team service will take is as follows:

Red Teaming
View full size (73 KB)

Cost of Penetration Testing

The cost of a penetration test can vary considerably with many factors to consider. The size of the network/application, its complexity and the overall scope will be the main variables.

As a general rule (at Bulletproof) the prices for pen testing can be broken down as thus:

Penetration testing prices
Test Type Description Guide price
Small pen test Tests of small web app and associated cloud infrastructure. Black box, unauthenticated test designed to mimic a real-world attack with no details of environment disclosed upfront. £1,000-£3,000
Medium pen test Application test of a medium web-based management portal and associated cloud infrastructure. Can be authenticated or unauthenticated. Usually, grey box. £3,000-£5,000
Large pen test A larger test of external applications, systems infrastructure and social engineering. A comprehensive security review with limited information disclosed up front. £5,000-£20,000

Of course, these prices and features depend entirely on your requirements and serve as just a rough guide as to what you might expect to pay.


Do I need penetration testing?

Regular penetration tests are certainly recommended for any organisation wanting to keep tabs on their cyber health. Any money spent on a pen test will cost less than a major breach or the compromising of your site, which can lead to serious down time. What’s more, with GDPR coming into effect, for those processing personal data of EU citizens, it’s essential that you can demonstrate you are maintaining the highest level of cyber security. The only way to truly get a detailed view of your current security posture is via a penetration test.

Do I need penetration testing

Conclusion

A penetration test is vital for any company or organisation who takes cyber security seriously. As already stated, if a penetration tester manages to compromise your application or network, then a real hacker can too. Penetration tests offer a proactive approach to maintaining high levels of security.

However, it’s worth noting that a pen test shows you your security posture at a fixed point in time. New vulnerabilities may be discovered, and other methods of attack may evolve in the future, so it’s recommended that you book regular (annual) penetration tests to ensure that you maintain the top level of security.


  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.