Comprehensive penetration testing from certified experts

The cost of a penetration test can vary considerably with many factors to consider. The size of the environment being tested, its complexity and the overall project scope will be the main variables.

As a general rule (at Bulletproof) the prices for pen testing can be broken down as thus:

Of course, these prices and features depend entirely on your requirements and serve as just a rough guide as to what you might expect to pay.

It’s recommended that businesses perform penetration tests at least annually or whenever a significant change is made to the environment.

Certain compliance packages, such as PCI DSS certification, make regular penetration tests mandatory. Put simply, if you want good security, you need a comprehensive penetration test.

Stay a step ahead of the hackers

Testing your current security posture provides a clear indication on where you stand against an ever-changing threat landscape. It’s how you can efficiently identify and address vulnerabilities before an attacker does.

Take control of your infrastructure

As technology evolves and your business grows, technical infrastructures become increasingly complex. It’s not uncommon for things to slip out of your control, or you might not have the relevant expertise to ensure that your controls are implemented the right way. Each test reveals the flow of your environment and any interdependencies that have a direct or indirect impact to security. Don’t forget that you’re only as secure as your weakest link.

Prove your security

You might think you have a very secure infrastructure in place, with all the processes, procedures and staff training to back it up. But how do you know? A penetration test is an ideal way to test your security implementations, giving you real-world proof that your security controls are up to standard and working as expected. This can be as much for the benefit of your customers’ and suppliers’ peace of mind as your own.

Solid risk management

Each penetration test addresses your business risks and the impact to confidentiality, integrity and availability of your data. This provides a good indication to management and the technical teams on how to best prioritise, plan, budget and remediate the risks in a structured manner.

Because you have to there are increasing numbers of legal and regulatory requirements, industry standards, and best practices that all say you should or must have regular penetration tests. These include PCI DSS, ISO 27001, FCA, HMG and CoCo among numerous others. Though compliance does not guarantee security, these standards provide good directions on what is needed to ensure your infrastructure is in a good overall state of security.

Protect your business

It goes without saying that security breaches are bad news, with potentially enormous impacts on your brand’s reputation and the financial repercussions. Penetration tests drastically reduce the risk of a breach, protecting the time and money invested in your organisation as well as the confidence of existing and potential customers.

There are several types of penetration testing that can be defined as either black, white or grey box testing. It’s also worth specifying there is a difference between an application test and an infrastructure test. An application test, as the name suggests, is where a tester looks for flaws within an application to see if there’s any way to get at data or manipulate functionality in a way that wasn’t intended. This can involve cookie theft, XSS, man-in-the-middle attacks etc. Infrastructure tests on the other hand are where the tester attempts to gain entrance to a corporate network.

Black box testing

Black box testing is the closest simulation of real-world hacking in that the tester will know very little, if anything about the target other than what is publicly available. These are often the least time-consuming tests as it relies solely on the tester discovering vulnerabilities in outwardly facing components. However, whilst these tests accurately represent real life situations, they will not pick up any vulnerabilities or misconfigurations that may be present internally. Therefore, they cannot predict what damage an internal threat may cause.

White box testing

White box testing offers the most thorough security test in which the tester has a full understanding of the application or infrastructure, how it works and has access from various levels. It’s likely that they’ll even have access to the source code or have a full detailed map of the internal infrastructure. The tester will probe for vulnerabilities and misconfigurations to try and gain access from an external position, as well as look to see what damage can be done from an internal perspective.

Grey box testing

Grey box testing is a blend of black and white box testing and is often the most popular type of test. The tester will have a limited knowledge of the target, potentially including some documentation. They will often have basic user level access, allowing for partial testing of the target’s internals.

Network penetration test

A network penetration test, also known as Infrastructure penetration test, is where a cyber professional attempt to breach an organisation’s infrastructure. The tester will check for misconfigurations, outdated software, logical flaws and even look for a means to escalate privileges if they manage to gain access. They will tend to focus on:

• Firewall configurations
• Segmentation
• Privilege escalation
• Incorrectly stored data
• Default credentials

Application testing

Application penetration tests can be quite involved. They are designed to uncover any vulnerabilities or weaknesses present in a web app or mobile application that could compromise the security or induce functionality not intended by the designers. The difficulty of these tests will depend on what scripts are being employed or how the application is built. Generally, testers will be looking for outdated software, cross-site scripting (XSS) vulnerabilities and weak cryptography, or they will try and tamper with cookies and functionality.

External network penetration test

External-based penetration testing simulates the ability of an attacker to gain access from external resources to the internal network or to retrieve sensitive data from public-facing resources, such as web applications or email servers.

Internal network penetration test

Internal-based penetration testing simulates an attack that has already bypassed the security perimeter. This addresses what an attacker (or an insider) can see and what they can do internally, such as moving from one network to another, intercepting internal communications, and so on.

Social engineering penetration test

Social engineering covers the human element of security, where testers will try to access sensitive information by manipulating human psychology. This usually involves a lot of techniques, such as targeting employees over the internet with phishing emails, phone calls, as well as exploiting pitfalls in operational procedures and trying to compromise physical security.

Cloud penetration testing

Cloud penetration testing examine your organisation’s external security posture. By auditing your AWS, GCP or Azure hosted systems, pen testers can effectively assess your cloud configuration & identify exploitable flaws.

Red team penetration test

A red team penetration test is where security experts compromise a company’s cyber and physical security through a mix of penetration testing, social engineering and deceit. A red team aims to get hold of data remotely or through direct contact with an organisation's on-premises machines. Preferably, not getting caught in the process. Once done, the team can report back to the company with what they did, how they did it (with evidence), and most importantly, how the business can stop it from happening again.

The two services, whilst very different, are equally as important where cyber security is concerned. Regular vulnerability tests can be run quickly against new builds or networks on a regular (monthly) basis to allow you to patch any vulnerabilities that come to light. Leaving a single vulnerability unchecked on a single device could theoretically compromise your entire infrastructure. Whereas an annual penetration test can offer you a detailed report of your entire security posture, including your susceptibility to social engineering.

Just because you have had a vulnerability scan, it doesn’t mean you don’t need a penetration test. Likewise, if you’ve recently had a penetration test, it doesn’t mean you won’t benefit from a vulnerability assessment in the near future.

Bulletproof follows ethical hacking 7 stages are:

1. Scope definition & pre-engagement interactions

This is where all requirements are gathered and goals are set. It’s where types of tests, forms, timelines and limitations are codified and agreed. This is essential for smooth and well-controlled exercise.

2. Intelligence gathering & threat modelling

Intelligence gathering is an information reconnaissance approach that aims to gather as much information as possible. This information is used as attack vectors when trying to penetrate the targets during the vulnerability assessment and exploitation phases.

3. Vulnerability analysis

This phase aims to discover flaws in networks, systems and/or applications, using active and passive mechanisms, which can include host and service misconfiguration, current patching levels, or insecure application design.

4. Exploitation

With the help of the vulnerability analysis from the previous step, all external and internal-facing systems that are in scope are attacked. This involves a combination of available and custom-made exploits and techniques in order to tamper with improper configurations, bypass security controls, access sensitive information and in general to establish access to the targets in question.

5. Post-exploitation

The purpose of this phase is to determine the value of the compromised targets by trying to elevate privileges and pivot to other systems and networks that are defined within the scope. Importantly, the compromised systems will be cleaned of any scripts and further attacks that have been launched to make sure the systems are not subjected to unnecessary risks as a consequence of the tester’s actions.

6. Reporting

All information mentioned in the above steps must be documented.

A good penetration testing company should provide you with a thorough yet easy-to-read pen testing report, including:

• All risks based on the current server/application setup/configuration
• Vulnerabilities and running services for the servers and applications
• What has been done to exploit each security issue
• Remediation steps
• Near-term and long-term actions It should be noted that vulnerabilities that cannot be exploited must also be included in the final report

We strongly recommend you ask the penetration test company for a sample report in advance – this way you’ll know what you can expect to receive. If a report is full of jargon and difficult to decipher, its use to you is limited.

7. Debrief session

This step isn’t a strict requirement but is good practice. Upon the completion and delivery of a penetration test, a de-brief session can explain the findings and risks listed in the report, as well as giving you the opportunity to ask any questions.