Comprehensive penetration testing from qualified experts

There are several types of penetration testing that can be defined as either black, white or grey box testing. It’s also worth specifying there is a difference between an application test and an infrastructure test. An application test, as the name suggests, is where a tester looks for flaws within an application to see if there’s any way to get at data or manipulate functionality in a way that wasn’t intended. This can involve cookie theft, XSS, man-in-the-middle attacks etc. Infrastructure tests on the other hand are where the tester attempts to gain entrance to a corporate network.

Black box testing

Black box testing is the closest simulation of real-world hacking in that the tester will know very little, if anything about the target other than what is publicly available. These are often the least time-consuming tests as it relies solely on the tester discovering vulnerabilities in outwardly facing components. However, whilst these tests accurately represent real life situations, they will not pick up any vulnerabilities or misconfigurations that may be present internally. Therefore, they cannot predict what damage an internal threat may cause.

White box testing

White box testing offers the most thorough security test in which the tester has a full understanding of the application or infrastructure, how it works and has access from various levels. It’s likely that they’ll even have access to the source code or have a full detailed map of the internal infrastructure. The tester will probe for vulnerabilities and misconfigurations to try and gain access from an external position, as well as look to see what damage can be done from an internal perspective.

Grey box testing

Grey box testing is a blend of black and white box testing and is often the most popular type of test. The tester will have a limited knowledge of the target, potentially including some documentation. They will often have basic user level access, allowing for partial testing of the target’s internals.

Network penetration test

A network penetration test is where a cyber professional attempts to breach an organisation’s infrastructure. The tester will check for misconfigurations, outdated software, logical flaws and even look for a means to escalate privileges if they manage to gain access. They will tend to focus on:

• Firewall configurations
• Segmentation
• Privilege escalation
• Incorrectly stored data
• Default credentials

Application testing

Application penetration tests can be quite involved. They are designed to uncover any vulnerabilities or weaknesses present in a web app or mobile application that could compromise the security or induce functionality not intended by the designers. The difficulty of these tests will depend on what scripts are being employed or how the application is built. Generally, testers will be looking for outdated software, cross-site scripting (XSS) vulnerabilities and weak cryptography, or they will try and tamper with cookies and functionality.

The terms penetration test and vulnerability assessment are often wrongly used interchangeably. A vulnerability assessment, or VA scan, is the use of an automated tool to scan a network or application for known vulnerabilities, which can then be patched. A penetration test is a lot more involved and encompasses many aspects, providing you with a more comprehensive overview of your overall security.

A vulnerability scan may well be used in the initial stages of a penetration test to see if there are any easily exploited flaws to work with. The tester will then go a step further, making use of brute-forcing, code injections, social engineering and much more.

All penetration test projects will start with an accurate scoping. Once the boundaries have been agreed and a goal decided upon, testers will begin some reconnaissance. This is the starting point for any hacker and the beginning of the cyber kill chain. This may include looking for any related URLs or domains that could be considered in scope and increase the attack area or conducting some vulnerability scans on their target. If social engineering is included in the test, recon activity may include searching publicly available sources for staff contact details, staff pass designs or email address formats.

The testers will then attempt to exploit any weakness found to gain unauthorised access. This can often have a trial and error-based approach. If successful, the tester will find out the extent of a hacker’s potential reach, compile some evidence and then provide a detailed report along with remediation advice.

Tests will often follow these steps:

• Reconnaissance
• Scanning with automated tools
• Probing for weaknesses/misconfigurations
• Testing for flaws such as XSS, man-in-the-middle attacks etc.

Social engineering is the process of leveraging the human aspect of a business in order to compromise security. The most common form of this is phishing. This involves tricking users via email into following a malicious link, downloading malware or submitting their credentials.

This is often the easiest way for a hacker to compromise a business. No matter how formidable your cyber security is, a member of staff can easily undo it all. In 2019, phishing attacks attempting to get ransomware into businesses had risen 109% from 2017.

Social engineering is a fancy term for what can often be a simple approach. How many times have you received an email that looks like the following?

That link will no doubt direct you to a malicious portal owned by hackers intent on getting your password and, if you clicked the link and reset your password, then they’ll have it. When booking a penetration test, many companies choose to include an element of social engineering in order to test their staff’s susceptibility to phishing.

Some important things to look out for is poor spelling and grammar, both in the body text and the email address.

Some businesses choose to go a step further when it comes to testing their security. Red team testing is a mix of penetration testing, social engineering and physical intrusion. Testers will follow the same process as a standard penetration test in order to compromise data, but will also see if they can exploit flaws (even in physical tech) to gain access to buildings and data centres.

Red team testing can involve a lot of face to face interaction, testing processes and procedures that form part of information security. It may involve phone calls, simple tailgating or even pretending to deliver milk.

Red team assessments provide businesses with a complete analysis of their security, be it technical, physical or procedural. The process often follows the following outline:

The cost of a penetration test can vary considerably with many factors to consider. The size of the network/application, its complexity and the overall scope will be the main variables.

As a general rule (at Bulletproof) the prices for pen testing can be broken down as thus:

Of course, these prices and features depend entirely on your requirements and serve as just a rough guide as to what you might expect to pay.

It’s recommended that businesses perform penetration tests at least annually or whenever a significant change is made to the environment. Certain compliance packages, such as PCI DSS, make regular penetration tests mandatory. Put simply, if you want good security, you need a penetration test.

What can I expect in my penetration test report?

The content of a report will depend on the who has written it. Bulletproof’s reports always contain a high-level business summary before moving on to an in-depth breakdown of any weakness, vulnerability or misconfiguration found during the test along with mitigation advice. These will then be presented in order of priority, giving our clients a checklist to improve their security.

Other cyber security services

And knowing is half the battle... regular penetration tests are vital for maintaining security and protecting business critical data. If a penetration tester can find flaws in your environment, then a hacker can too, and you don’t want them to find them first.

The content of a report will depend on the who has written it. Bulletproof’s reports always contain a high-level business summary before moving on to an in-depth breakdown of any weakness, vulnerability or misconfiguration found during the test along with mitigation advice. These will then be presented in order of priority, giving our clients a checklist to improve their security.