What is penetration testing (pentesting) in the cybersecurity-obsessed world we inhabit? Imagine you’re the IT Systems Admin at a medium or large company responsible for manufacturing personal protection equipment. It turns out that the new software system you installed last week to manage your inventory is already out of date. As a result of a security vulnerability hidden in this out-of-date platform, a database of customer credit-card details is now in the hands of a malicious hacker who’s holding you to ransom and demanding a large payment.
A penetration tester, or pentester, could have examined this software for vulnerabilities and saved your business from such a risk.
Or you may face increasing pressure from industry, state, or federal regulators; insurance providers; or even customers to prove your cybersecurity is adequate. Again, pentesting can help.
In this blog post, we help you to understand what penetration testing is, what factors drive the demand, the business case for pentesting, what information you can expect from a pentest report, and some principles for commissioning pentesting work.
What Is Penetration Testing?
In the cybersecurity landscape, malicious hackers trawl computer networks, services, databases, applications, APIs, and endpoints to identify vulnerabilities they can exploit. There are a number of different methods pentesters employ to identify and illustrate these vulnerabilities. They then give advice on how to eliminate them—before they’re found and exploited by bad actors.
What Factors Drive the Demand for Penetration Testing in Cybersecurity?
Let’s look at some of the bigger stories in the news, insurance considerations, and compliance factors.
Recent Data Breaches
Cyber Insurance Requirements
Businesses are under increasing pressure from insurers to demonstrate they’re taking measures to secure their data. Some insurance firms even insist on vulnerability assessments or that you meet certain industry standards. Otherwise they can raise the cost of underwriting to a level that would affect the cost of your goods or services.
Compliance and Standards
You’re likely to be required to meet specific standards set by compliance legislation and government regulatory bodies:
- If you are in the United States, this can mean federal, state, and local government
- Depending on your market, you may be dealing with specific regulatory standards and expected industry benchmarks
Examples of Pentesting Frameworks and Methodologies
Many compliance requirements state that penetration tests and vulnerability assessments are required as part of a full security audit.
Here are some specific pentest guides and standards:
- The PCI Penetration Testing Guide provides guidelines on pentesting components, qualifications for pentesters, pentesting methodologies, and reporting
- The SP 800-155 Technical Guide to Information Security Testing and Assessment assesses the benefits and limitations of various techniques
- The OWASP Mobile Security Testing Guide (MSTG) is a manual for mobile app security testers
- The Penetration Testing Executive Standard (PTES) explains the rationale behind pentests
- The Penetration Testing Framework (PFT) is a great resource for those starting out in vulnerability analysis
- Information Systems Security Assessment Framework (ISSAF)
- Open Source Security Testing Methodology Manual (OSSTMM)
- CREST Guide to Penetration Testing
Examples of State, Country, and International Standards
- The California Consumer Privacy Act (CCPA) was passed in 2018 to enhance privacy rights and consumer protection (see 2020 Data Privacy Laws for California).
- The Personal Information Protection and Electronic Documents Act (PIPEDA) became law in Canada in 2000.
- General Data Protection Regulation (GDPR) is a regulation in the European Union (EU) on data protection and privacy. There are many GDPR implications, even if your business is based in the U.S. (see What Do You Need to Know About Collecting Personal Data from Users in the EU and How to Stay Compliant with Europe’s GDPR and California’s Assembly Bill 375).
Examples of U.S. Standards
- The National Institute of Standards and Technology has produced a special publication (NIST SP 800-53) that recommends security controls for U.S. federal information systems, organizations, and agencies—as well as those who do business with them.
- The U.S. Department of Defense’s Defense Information Systems Agency publishes the Security Technology Implementation Guidelines (DISA STIG) for all computer software and networks used by the DoD, and those connected to it.
- The Center for Internet Security (CIS) has a single framework that is popular with smaller, unregulated businesses because it requires fewer controls.
Examples of Industry and Sector Standards
- The Health Insurance Portability and Accountability Act (HIPAA) is U.S. healthcare legislation. Those who fail to protect patients’ data against malicious hackers face heavy penalties (see 5 Most Common HIPAA Violations (and How You Can Avoid Them and How to Keep Your Medical Office HIPAA Compliant).
- Major credit-card issuers have established a set of international security standards for those whose business relies on payment by credit and debit cards—The Payment Card Industry’s compulsory and international Data Security Standard (PCI-DSS).
Examples of Cybersecurity Principles and Standards
- The 2005 ISO/IEC 27001 Standard (revised in 2013 and 2022) relates to requirements for information security management systems.
- The Open Web Application Security Project (OWASP Top 10, 2013, 2017, 2021) is best known for producing a list of the top 10 most critical risks.
- The OWASP application programming interface (OWASP API Top 10, 2019, 2023) is a list of the top 10 security concerns specific to APIs.
- The OWASP Application Security Verification Standard (OWASP ASVS 4.0) presents a strict and explicitly defined security checklist that aims to help in the development and maintenance of secure web applications.
- The Common Weakness Enumeration (CWE/SANS Top 25) is a list of the top 25 most dangerous software weaknesses and errors in web applications.
- The Web Application Security Consortium (WASC Threat Classification 2.0) is a threat classification system and security standard for web vulnerabilities.
How Do Pentesters Approach the Test Environment?
There are several ways penetration testers tackle the attack surface. Let’s start with the basics.
Penetration Testers Are White Hat or Ethical Hackers
Pentesters for hire have authorization from system owners to:
- Proceed with simulated attacks
- Illustrate the potential for security leaks in a system without causing harm
- Evaluate specific aspects of the system’s security so that you can harden it
White-Box Versus Black-Box Pentesting
A penetration test starts by defining the boundaries of the system to be tested and the goal of testing.
Here is the difference between the two main starting points for pentests:
- A “white-box” test is when the internal workings of a system are open and clear. If a pentester understands a system’s architecture and components, it’s easier for them to pick one element from the attack surface to hack.
- A “black-box” test is one in which you provide the pentester with only basic or no information beforehand.
White-box pentests are more effective from a discovery viewpoint, since the pentester can delve deeply. However, black-box tests more accurately reflect the trajectory of a typical malicious hacker.
Automated Versus Manual Pentests
Manual penetration testing is expensive, slow, and time consuming when compared to the use of automated pentesting software. Security scanning platforms can automatically identify multiple vulnerabilities and security flaws in networks, web applications, content-management systems, web services, and web APIs. They will then automatically provide a proof of exploit and remediation recommendations, often within minutes.
However, there are unique advantages to manual pentest methods. They tend to provide a more realistic indication of your current security posture because they uncover vulnerabilities that result from flaws in the organization’s unique business logic that are difficult for a scanner to replicate.
Continuous Versus Reactive Penetration Testing
Unfortunately, many organizations only think about the need for penetration testing as a reaction to some external pressure—a looming audit, a compliance failure, a customer query or complaint, or a security breach. The best approach is to make pentesting a part of the overall security plans for your organization.
For example, within software application development, security scanning is built into the software development lifecycle (SDLC). Manual pentests provide a snapshot overview of the security state of a system or network. Meanwhile, automatic vulnerability assessment tools allow pentesters to perform continuous penetration tests along the span of the SDLC, avoiding security breaches in live environments.
What Kind and Quality of Information Does a Penetration Test Report Provide?
A penetration tester will normally provide you with reports that set out what vulnerabilities exist in your system. Here’s what to expect.
The Vulnerability Type and the Potential Business Risks
A pentest should identify the weakness in the relevant system’s design, operation or management; or in security procedures.
There are two main types of vulnerability:
- Security risks that exist from exploiting a vulnerability such as insecure ports; out-of-date third-party components; vulnerable contact forms; revealing URLs; or insecure networks, systems, services, or databases
- Software bugs, including errors in the design or operation of applications, or integrations that produce unintended results
The Classification of Vulnerabilities
Vulnerability severity is assigned on the basis of the criticality of the business risk and the degree of difficulty in exploiting it. Penetration testers use catalogs of software weaknesses and vulnerabilities such as the CWE (mentioned above), the Common Vulnerabilities and Exposures (CVE), and the Common Vulnerability Scoring System (CVSS) to do this.
Once classified according to criticality, you can then filter vulnerabilities and deal with them accordingly.
The final report from a pentester will include their recommendations on remediation activities for each vulnerability or security risk they detected.
Is There a Strong Business Case for Penetration Testing?
The business damage caused by malicious hacks is both substantial and multifaceted.
- News of malicious hacks spreads rapidly, but fades slowly, causing damage to your brand. Reputational damage may make it difficult to attract or retain clients.
- Existing suppliers may be unwilling to partner with you because they don’t want to put their own data and systems at risk.
- Data theft can include intellectual property as well as financial and customer information.
- Malicious hackers can launch phishing attacks or use ransomware to lock you out of business systems or networks unless you pay to regain control of your data.
- Proof of security compliance may be a condition for getting business insurance. And, after a data breach, it can be much harder to secure cyber insurance. Even if a provider is willing to insure you, they may significantly increase the premium.
- Your business may incur crippling financial penalties due to weak or negligent security policies.
- Individual office holders in your organization can even be subject to criminal proceedings and jail time.
Principles To Help Companies Conduct Successful Penetration Testing
Here are some guidelines to help you select a pentester or solution to help avoid breaches in your security perimeter.
- Place pentesting within the wider context of an initial and ongoing assessment of your cybersecurity risks and vulnerabilities.
- Select software applications that support your pentesting efforts with comprehensive reports that explain the details of each detected vulnerability, rank them according to criticality, and provide remediation advice.
- Develop a cybersecurity plan based on a security framework that fits your business.
- Partner with insurance experts that are specialists in cybersecurity indemnity to get the coverage you need.
- Pay attention to the often overlooked, yet broadest, attack surface of all—endpoint detection and response.
- Train all staff on cybersecurity, so that even those without programming skills or coding knowledge can still run regular scans that alert and support your pentesting efforts.
What Is Penetration Testing in Cybersecurity?
Penetration testing plays an essential part in the adoption of cybersecurity policies and practices—and not just for larger organizations. If you handle or process private customer data, or run software applications and platforms—your entire network, endpoints, web applications, APIs, and services—form a large and potentially vulnerable attack surface. Many laws across the world require you to incorporate robust and defined cybersecurity measures, as part of your cybersecurity strategy. Medium-sized and small firms are just as much of a target as larger enterprises for hackers intent on accessing and stealing data.
If you lack the expertise to understand how the relevant legislation applies to you or the confidence to run your own pentests, it’s worth investing in experts who can take care of it for you.
Regardless of your industry vertical or regulatory context, Sagacent Technologies can perform pentests, specialized vulnerability assessments, and IT audits to evaluate your ability to resist malicious hacks.
Contact us today to find out how we conduct penetration tests or to book a business security assessment.