The Coalfire Blog
Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, Retail, Financial Services, Healthcare, Higher Education, Payments, Government.
The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts.
The Coalfire Blog
Penetration Testing Frequently Asked Questions
October 29, 2012, Adversary Ops, Coalfire
You may have noticed this recent article about Google’s contest that rewarded a hacker for discovering a vulnerability in Chrome. Once Google verified the vulnerability, they were able to fix the bug and issue the cash prize to the hacker. This is a very public example similar to what Coalfire Labs does every day - working with security leaders to test their security programs.
Our penetration testers perform real-world attacks on your IT infrastructure to test the effectiveness of your organization’s investment in security defenses. This is also referred to as “white hat hacking” – although, truth be told, I’m not a huge fan of that term. We perform penetration tests on organizations in many industries such as banking, retail, utilities, government, etc. to uncover security flaws so the weak links can be fixed before their adversaries find them.
Penetration testing is an important part of every IT Risk management program, and yet, we still get a lot of questions. So here, in honor of Cyber Security Awareness Month, are some answers to the most common questions we receive about penetration testing.
Why do a penetration test?
The average cost of a data breach is $6.75 million (according to a Ponemon Institute report) – and that figure doesn’t include future opportunity cost due to reputation loss. It is important to verify that the controls you’ve invested in are working as expected or you are wasting money and risking company resources.
What is a penetration test?
A penetration test is a real-world attack performed by security experts on a company’s IT infrastructure to discover exploitable security flaws. This is different from a vulnerability assessment in that a vulnerability assessment is “an inch deep and a mile wide” whereas a penetration test is the opposite – a narrow focus, taking exploitation to the furthest extent possible. At the completion of penetration testing, the organization will get a report known as an “outbrief” which will demonstrate how vulnerabilities could be exploited to compromise the organization’s IT infrastructure, and to what extent the penetration tester was able to take that compromise. There are different types of penetration tests: Network Penetration Testing, Application Penetration Testing, Embedded System Penetration Testing (also known as “hardware hacking”), Physical Penetration Testing and Red Team Engagements.
How is a penetration test conducted?
Good penetration testing firms will establish an attack plan specific to your business, which would emulate attacks that would be launched from individuals or groups that have something to gain by attacking your organization. Based on this, a plan is established that may focus on a specific part of your infrastructure, specific applications, or company divisions and office locations. Attack plans could emulate an Internet-based attacker, a rogue employee, your competitors, a compromised business partner, malicious customers, or any combination of these. The attack plan drives the methodology of the penetration test. Methodologies used during the test usually include technical techniques to exploit operating system vulnerabilities, unpatched systems, application coding flaws, insecure websites, and weak security configurations. They may also include non-technical techniques such as applying social engineering tactics to attempt to compromise your systems with the help of your staff, or by attempting to gain physical access to your network or facilities.
Who performs penetration tests?
Hire an independent third-party IT auditing expert, and have them work in partnership with your team. Look for Offensive Security Certified Professional (OSCP) or GIAC Certifited Penetration Tester (GPEN) certification and ask which tools and methodologies they use. Ask to review references and/or case studies in your particular industry.
Where is a penetration test conducted?
You get to choose which IT areas to test since you know your organization’s business best. A good penetration testing firm will work with you to understand what type of adversary to emulate and what they would be trying to accomplish when acting as that adversary. Depending on those goals, the attack plan may be quite different. For example, an online retailer, a healthcare provider, and a manufacturing plant could have vastly different goals in the attack plan, whereas organizations that are subject to the same set of regulations may be quite similar. But the bottom line is that most executives set the scope based on a combination of known or suspected vulnerabilities, risks to the business and cost or operating constraints.
When is an appropriate time to conduct a penetration test?
It’s up to you to choose a timing strategy that makes sense for your company. Your auditor will probably ask you for a ‘recent’ penetration test, and that typically means ‘within the past year.’ Because of the growing compliance standards, the “when” part of this typically depends on what needs to be tested and what standard your company needs to meet and this can also change over time. Since penetration tests are typically only a point-in-time reflection of your company, it is important to stay up-to-date and constantly work to maintain your risk management, before, after and during an audit.
<< Go Back
Although penetration testing is often misunderstood, when done by a qualified firm, penetration testing can provide an organization deep insight into the effectiveness of the security processes and technologies that an organization has invested in.
Blog post currently doesn't have any comments.