An introduction to penetration testing

Written by Joseph Poppy on 26/09/2019

What is penetration testing?

Penetration testing is where a someone takes on the role of a hacker and attempts to compromise or gain unauthorised access to a network or an application. Also known as white hat hacking, a qualified professional will make use of automated tools and manual processes to uncover any vulnerabilities and misconfigurations that present a cyber-security risk.

A penetration test will give companies an overview of their security posture, highlighting flaws and allowing them to be patched before they are targeted by malicious hackers. Also known as white hat or ethical hacking, penetration tests are a vital part of an effective security strategy and are a mandatory component of many compliance schemes.


The cyber security landscape

The digital world is a dangerous place. It’s a dense forest with treacherous undergrowth and dangerous creatures lurking in the shadows. Tantalising data of all forms tempt hackers 24 hours a day seven days a week. Ransomware is still racking up thousands of pounds. Cryptomining malware has been doing the rounds and, as always, nation states are pushing things as far as they can. So, needless to say cyber security is big business.

Here at Bulletproof, we offer a wide range of services. Chief among them is our penetration testing service (also known as pen testing, but that sounds like we sit around making sure your stationary is up to scratch). Our penetration testers are accredited by industry-recognised bodies such as CREST and Tigerscheme, so you know they’re good.

There are several approaches a penetration test can take referred to as white, black or grey box testing.

What are the different types of penetration test?

There are several types of penetration testing that can be defined as either black, white or grey box testing. It’s also worth specifying there is a difference between an application test and an infrastructure test. An application test, as the name suggests, is where a tester looks for flaws within an application to see if there’s any way to get at data or manipulate functionality in a way that wasn’t intended. This can involve cookie theft, XSS, man-in-the-middle attacks etc. Infrastructure tests on the other hand are where the tester attempts to gain entrance to a corporate network.

Black box testing

Black box testing is the closest simulation of real-world hacking in that the tester will know very little, if anything about the target other than what is publicly available. These are often the least time-consuming tests as it relies solely on the tester discovering vulnerabilities in outwardly facing components. However, whilst these tests accurately represent real life situations, they will not pick up any vulnerabilities or misconfigurations that may be present internally. Therefore, they cannot predict what damage an internal threat may cause.

White box testing

White box testing offers the most thorough security test in which the tester has a full understanding of the application or infrastructure, how it works and has access from various levels. It’s likely that they’ll even have access to the source code or have a full detailed map of the internal infrastructure. The tester will probe for vulnerabilities and misconfigurations to try and gain access from an external position, as well as look to see what damage can be done from an internal perspective

Grey box testing

Grey box testing is a blend of black and white box testing and is often the most popular type of test. The tester will have a limited knowledge of the target, potentially including some documentation. They will often have basic user level access, allowing for partial testing of the target’s internals.

Network penetration test

A network penetration test is where a cyber professional attempts to breach an organisation’s infrastructure. The tester will check for misconfigurations, outdated software, logical flaws and even look for a means to escalate privileges if they manage to gain access. They will tend to focus on:

  • Firewall configurations
  • Segmentation
  • Privilege escalation
  • Incorrectly stored data
  • Default credentials

Application testing

Application penetration tests can be quite involved. They are designed to uncover any vulnerabilities or weaknesses present in a web app or mobile application that could compromise the security or induce functionality not intended by the designers. The difficulty of these tests will depend on what scripts are being employed or how the application is built. Generally, testers will be looking for outdated software, cross-site scripting (XSS) vulnerabilities and weak cryptography, or they will try and tamper with cookies and functionality.


What’s the difference between penetration testing and vulnerability assessments?

The terms penetration test and vulnerability assessment are often wrongly used interchangeably. A vulnerability assessment, or VA scan, is the use of an automated tool to scan a network or application for known vulnerabilities, which can then be patched. A penetration test is a lot more involved and encompasses many aspects, providing you with a more comprehensive overview of your overall security.

A vulnerability scan may well be used in the initial stages of a penetration test to see if there are any easily exploited flaws to work with. The tester will then go a step further, making use of brute-forcing, code injections, social engineering and much more.

Penetration Testing vs Vulnerability Assessment
View full size (103 KB)

A penetration test may make use of an initial vulnerability scan to see if there are any easily exploitable flaws to work with.

What are the stages of a penetration test?

All penetration test projects will start with an accurate scoping. Once the boundaries have been agreed and a goal decided upon, testers will begin some reconnaissance. This is the starting point for any hacker and the beginning of the cyber kill chain. This may include looking for any related URLs or domains that could be considered in scope and increase the attack area or conducting some vulnerability scans on their target. If social engineering is included in the test, recon activity may include searching publicly available sources for staff contact details, staff pass designs or email address formats.

The testers will then attempt to exploit any weakness found to gain unauthorised access. This can often have a trial and error-based approach. If successful, the tester will find out the extent of a hacker’s potential reach, compile some evidence and then provide a detailed report along with remediation advice.

Tests will often follow these steps:

  • Reconnaissance
  • Scanning with automated tools
  • Probing for weaknesses/misconfigurations
  • Testing for flaws such as XSS, man-in-the-middle attacks etc.

What is social engineering?

Social engineering is the process of leveraging the human aspect of a business in order to compromise security. The most common form of this is phishing. This involves tricking users via email into following a malicious link, downloading malware or submitting their credentials.

This is often the easiest way for a hacker to compromise a business. No matter how formidable your cyber security is, a member of staff can easily undo it all. In 2019, phishing attacks attempting to get ransomware into businesses had risen 109% from 2017.

Social engineering is a fancy term for what can often be a simple approach. How many times have you received an email that looks like the following?

Dear User,

Your Outlook password is due to expire and requires resetting. Please follow this link to reset it.

LINK

Regards,

IT Dept.

That link will no doubt direct you to a malicious portal owned by hackers intent on getting your password and, if you clicked the link and reset your password, then they’ll have it. When booking a penetration test, many companies choose to include an element of social engineering in order to test their staff’s susceptibility to phishing.

Some important things to look out for is poor spelling and grammar, both in the body text and the email address.


What is red team testing?

Some businesses choose to go a step further when it comes to testing their security. Red team testing is a mix of penetration testing, social engineering and physical intrusion. Testers will follow the same process as a standard penetration test in order to compromise data, but will also see if they can exploit flaws (even in physical tech) to gain access to buildings and data centres.

Red team testing can involve a lot of face to face interaction, testing processes and procedures that form part of information security. It may involve phone calls, simple tailgating or even pretending to deliver milk.

Red team assessments provide businesses with a complete analysis of their security, be it technical, physical or procedural. The process often follows the following outline:

Red Teaming
View full size (73 KB)
Periodic tests can be combined with managed security monitoring and advanced threat management for a total protection package.

What are the penetration testing costs?

The cost of a penetration test can vary considerably with many factors to consider. The size of the network/application, its complexity and the overall scope will be the main variables.

As a general rule (at Bulletproof) the prices for pen testing can be broken down as thus:

Penetration testing prices
Test Type Description Guide price
Small pen test Tests of small web app and associated cloud infrastructure. Black box, unauthenticated test designed to mimic a real-world attack with no details of environment disclosed upfront. £1,000-£3,000
Medium pen test Application test of a medium web-based management portal and associated cloud infrastructure. Can be authenticated or unauthenticated. Usually, grey box. £3,000-£5,000
Large pen test A larger test of external applications, systems infrastructure and social engineering. A comprehensive security review with limited information disclosed up front. £5,000-£20,000

Of course, these prices and features depend entirely on your requirements and serve as just a rough guide as to what you might expect to pay.


Do I need a penetration test?

It’s recommended that businesses perform penetration tests at least annually or whenever a significant change is made to the environment. Certain compliance packages, such as PCI DSS, make regular penetration tests mandatory. Put simply, if you want good security, you need a penetration test.

What can I expect in my penetration test report?

The content of a report will depend on the who has written it. Bulletproof’s reports always contain a high-level business summary before moving on to an in-depth breakdown of any weakness, vulnerability or misconfiguration found during the test along with mitigation advice. These will then be presented in order of priority, giving our clients a checklist to improve their security.

Other cyber security services

And knowing is half the battle... regular penetration tests are vital for maintaining security and protecting business critical data. If a penetration tester can find flaws in your environment, then a hacker can too, and you don’t want them to find them first.


  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.