The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts.

The Coalfire Blog

Penetration Testing Frequently Asked Questions

October 29, 2012, Adversary Ops, Coalfire

Bookmark and Share

Adversary Ops

You may have noticed this recent article about Google’s contest that rewarded a hacker for discovering a vulnerability in Chrome. Once Google verified the vulnerability, they were able to fix the bug and issue the cash prize to the hacker. This is a very public example similar to what Coalfire Labs does every day - working with security leaders to test their security programs.

Our penetration testers perform real-world attacks on your IT infrastructure to test the effectiveness of your organization’s investment in security defenses.  This is also referred to as “white hat hacking” – although, truth be told, I’m not a huge fan of that term.  We perform penetration tests on organizations in many industries such as banking, retail, utilities, government, etc. to uncover security flaws so the weak links can be fixed before their adversaries find them.

Penetration testing is an important part of every IT Risk management program, and yet, we still get a lot of questions. So here, in honor of Cyber Security Awareness Month, are some answers to the most common questions we receive about penetration testing.

Why do a penetration test?

The average cost of a data breach is $6.75 million (according to a Ponemon Institute report) – and that figure doesn’t include future opportunity cost due to reputation loss. It is important to verify that the controls you’ve invested in are working as expected or you are wasting money and risking company resources.

What is a penetration test?

A penetration test is a real-world attack performed by security experts on a company’s IT infrastructure to discover exploitable security flaws. This is different from a vulnerability assessment in that a vulnerability assessment is “an inch deep and a mile wide” whereas a penetration test is the opposite – a narrow focus, taking exploitation to the furthest extent possible.  At the completion of penetration testing, the organization will get a report known as an “outbrief” which will demonstrate how vulnerabilities could be exploited to compromise the organization’s IT infrastructure, and to what extent the penetration tester was able to take that compromise. There are different types of penetration tests: Network Penetration Testing, Application Penetration Testing, Embedded System Penetration Testing (also known as “hardware hacking”), Physical Penetration Testing and Red Team Engagements.

How is a penetration test conducted?

Good penetration testing firms will establish an attack plan specific to your business, which would emulate attacks that would be launched from individuals or groups that have something to gain by attacking your organization.  Based on this, a plan is established that may focus on a specific part of your infrastructure, specific applications, or company divisions and office locations.  Attack plans could emulate an Internet-based attacker, a rogue employee, your competitors, a compromised business partner, malicious customers, or any combination of these. The attack plan drives the methodology of the penetration test.  Methodologies used during the test usually include technical techniques to exploit operating system vulnerabilities, unpatched systems, application coding flaws, insecure websites, and weak security configurations.  They may also include non-technical techniques such as applying social engineering tactics to attempt to compromise your systems with the help of your staff, or by attempting to gain physical access to your network or facilities.

Who performs penetration tests?

Hire an independent third-party IT auditing expert, and have them work in partnership with your team. Look for Offensive Security Certified Professional (OSCP) or GIAC Certifited Penetration Tester (GPEN) certification and ask which tools and methodologies they use.  Ask to review references and/or case studies in your particular industry.

Where is a penetration test conducted?

You get to choose which IT areas to test since you know your organization’s business best.  A good penetration testing firm will work with you to understand what type of adversary to emulate and what they would be trying to accomplish when acting as that adversary.  Depending on those goals, the attack plan may be quite different.  For example, an online retailer, a healthcare provider, and a manufacturing plant could have vastly different goals in the attack plan, whereas organizations that are subject to the same set of regulations may be quite similar.  But the bottom line is that most executives set the scope based on a combination of known or suspected vulnerabilities, risks to the business and cost or operating constraints.

When is an appropriate time to conduct a penetration test?

It’s up to you to choose a timing strategy that makes sense for your company. Your auditor will probably ask you for a ‘recent’ penetration test, and that typically means ‘within the past year.’ Because of the growing compliance standards, the “when” part of this typically depends on what needs to be tested and what standard your company needs to meet and this can also change over time. Since penetration tests are typically only a point-in-time reflection of your company, it is important to stay up-to-date and constantly work to maintain your risk management, before, after and during an audit.

Although penetration testing is often misunderstood, when done by a qualified firm, penetration testing can provide an organization deep insight into the effectiveness of the security processes and technologies that an organization has invested in.

<< Go Back

Blog post currently doesn't have any comments.

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 CPRA credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail RISE Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS