Penetration Test

So you need a penetration test?

You’ve seen these data breaches in the news and you’re worried it could be you next. With all the talk of GDPR you’re worried a fine could put you out of business. Time to bring in an ethical hacker so they can perform a security or penetration test.

These are some of the feelings we heard from some of our SME clients. When they started, security was always something they would think about later and, well, now it’s later. They may have had clients insisting on seeing a penetration test report or maybe they want to make sure they find and fix vulnerabilities before they’re discovered by a malicious attacker. We’re aware it is often confusing and it’s very difficult to find information on costs and types of security tests so in this post, we’ve tried to be a bit more transparent to help you decide what type of test you need.

Keep in mind, this is something that even people working in cyber security can’t always agree on. These are our definitions of each test type and they should cover every style of test, although other companies may have slightly different names.

Also keep in mind that there are two main reasons to have a security test – one is to understand whether your company is safe from hackers, and the other is to understand whether your product is secure. This may influence which type of security test you’re after.

Vulnerability Scan

Let’s start with the basics. A vulnerability scan is performed using tools to detect known vulnerabilities and, other than the initial configuration, requires very little user interaction. At the very minimum, we recommend most companies perform periodic vulnerability scans. By running the same tools an attacker will, you’ll be able to find and fix any vulnerabilities before they’re found by low skilled attackers – think the classic “15 year old in the bedroom”. Don’t make the mistake of thinking that because a vulnerability is easily found, it won’t be high risk. Vulnerabilities such as SQL injection, Cross Site Scripting or Heartbleed are easy to detect with automated scanning.

Our recommendation: Perform these yourself if there is zero budget for security but be aware a lot of these tools require experience to run and even more experience to filter out false positives. Put in the effort to learn the tools if needed as any vulnerability found by these tools can be found by anyone. If you have managed to put aside budget for security, consider finding a trusted security consultancy to perform these scans but make sure they deliver reports with an attempt to remove false positives and recommendations on how vulnerabilities can be fixed.

Cost: Usually based on number of hosts, applications or IP addresses. Most small or medium companies can expect to pay between £250 and £700 per month. If you choose to do this yourself, keep in mind you’ll likely need to buy licenses for scanning tools although many free tools exist.

Time: You can expect to have results same day or within 5 business days depending on number of hosts to scan and how many results need to be verified.

Vulnerability Assessment

A vulnerability assessment differs from a vulnerability scan in that it is more manual and requires some amount of security expertise. In a vulnerability assessment, a tester will look for as many security vulnerabilities as possible in a given application or network and report them based on severity. Often automated scanning tools will be used, however these will be to augment the manual testing, rather than being the test itself. In a vulnerability assessment, the focus is on identifying issues that aren’t normally found by tools rather than exploiting them and/or understanding the actual business risk. A vulnerability assessment may also be limited in remediation recommendations – think “user input should be output encoded” rather than a recommendation more tailored to the application.

Our recommendation: If possible, have someone in the team that can perform vulnerability assessments. This can be part of the QA team or a developer that is particularly interested in security. If a third party needs to be brought in, look for companies with experience in security testing and good recommendations.

Cost: A vulnerability assessment is usually between £500 and £800 per day if performed by a third party.

Time: It can vary vastly depending on the size of the application or infrastructure but a basic web application would be two or three days plus a day for reporting.

Penetration Testing

A Penetration (or pen) Test is often confused with a Vulnerability Assessment but often a vulnerability assessment will be performed at the same time as a penetration test. A big difference is that a good penetration tester will focus on vulnerabilities that can be exploited and aim to prove some actual attack. For example, a penetration tester may want to show they have managed to get access to a database and dump passwords, show they have gained Domain Admin access or even show how several vulnerabilities were chained together to perform an attack.

A penetration test may also discover some weaknesses that might exist even if they could not necessarily be exploited due to the limited scope or time (this might include Denial of Service vulnerabilities or vulnerabilities in third party components). This level of security understanding can only be gained with an experienced penetration tester.

A penetration test is very tightly scoped (i.e. only specific hosts/applications are allowed to be attacked) and there is very rarely a requirement to evade detection. In fact, it’s often common for a penetration tester to ask for valid credentials or access so as to have full coverage in the assessment.

Recommendation: Bring in a third party consultancy to perform penetration testing as often it requires specialist knowledge and someone not involved with development/deployment. This should be done annually or whenever a large change occurs although be aware that a penetration test is a snapshot in time. Just because an application isn’t vulnerable today, it doesn’t mean new attacks won’t be present tomorrow.

We recommend looking for companies with good reputations and although it’s good to use accreditations to figure out which companies are legitimate, don’t forget the smaller shops when accredited companies aren’t a requirement (for some organisations such as government work, they are). These companies are often smaller and therefore cheaper. Unfortunately we’ve seen several cases where a company is selected as they are accredited, only to have a junior consultant perform the test.

Cost: A penetration test can cost as much as £1300 per day. Digital Interruption has significantly lower prices (due to our size, we’ve avoided expensive accreditations and large sales teams) and fixed price packages. We only use senior consultants and experienced ethical hackers.

Time: Like with a vulnerability assessment, a penetration test will take longer with more complex applications or infrastructure. Expect around 5 days including reporting but may be as much as several weeks for multiple applications and complex networks.

Red Teaming

A Red Team attempts to simulate a real word attacker in order to perform some specific goal or action. This could be accessing sensitive data, having an ATM spit out money or viewing the CEO’s emails.

Because these engagements tend to be longer and more complex than a Penetration Test, it is only recommended for companies that already have a security budget and only after they have performed regular vulnerability scans and penetration testing. One of the biggest differences between a penetration test and red team is the scope; in a red team the scope is almost completely open (with obvious legal restrictions).

One question we’re often asked is; if we have penetration tests, do we need a red team exercise? Really, this depends. Although penetration tests can help companies secure their applications and infrastructure, there will always be zero days (a new vulnerability), an employee that clicks a phishing email or someone with access to the building that can plug in a malicious device. A Red Team learns what attacks are being used in the wild and attempts to mimic them to gain access to a target company. This type of test highlights where any weaknesses may be.

Another reason to perform a red team test is to test the capabilities of the blue team. As a red team will focus on staying undetected, it is a good way to see what can be found by the internal security or network team. This means it’s critical that only those that need to know about the red team exercise are informed. If you’ve ever said or heard “be careful, a red team exercise is happening this week”, it’s likely it’s not and instead it’s a penetration test.

Recommendation: A red team needs to be performed by an external company or if internal, a completely separate team, that has experience running red team exercises. As a red team needs to emulate real world adversaries, it is important that the team has knowledge of these attacks and tools.

Cost: A red team engagement can cost tens of thousands of pounds.

Time: A red team exercise may take many months as moving too quickly could cause the team to be detected. It may also require development of zero days, creation of new tools that or time to understand the environment once access is attained.

What Next?

Hopefully you now have a better idea of what type of test is most relevant to you. Get in contact if you’re worried about your security and we will put together a no obligation scope.