Is your business an easy target for hackers?
A penetration test is the best way to know for sure.
Red teaming, ethical hacking, penetration testing - we’ve all heard of it. But what actually is pentesting?
The simple, one-line answer is that a penetration test will tell you what the asset being tested looks like from the point of view of a hacker.
Penetration testing is a mostly manual process carried out by experienced consultants, using some of the same methods and tools a real hacker would. You decide on the scope of your test with your consultant, set your target, and your tester will get to work attempting to breach it.
Crucially, a pentest shows you both how strong your defences are, but also what the potential consequences could be if a bad guy really got into your infrastructure.
Often people confuse pentesting with vulnerability scanning. A vulnerability scan is an automated tool that basically searches your targets against a huge database of vulnerabilities (OnSecurity’s Scan actually runs over 70,000 checks, woah).
And it’s just that - an automated scanner. With a pentest, you’ve got an actual human on the other end, actively digging around your network, trying to find vulnerabilities and misconfigurations. Just like a real-life bad guy would.
This one’s pretty simple.
At school, every so often you’d be subject to a fire drill. Usually a pain, and often resulting in queuing up in the rain for half an hour while your teacher makes sure a 7 year old hasn’t got trapped in the toilet.
The point of the drill is to expose points of weakness, which you can then rectify. Often you might think your plan is solid, only for a practice run to expose some glaring hole - and this is what a pentest does.
The way that bad actors target businesses is commonly misunderstood. Generally you think it goes like this:
- bad guy targets company
- bad guy finds vulnerability
- bad guy infiltrates company
Sometimes this is the case for big name brands, but often it’s actually much more opportunistic than that.
Generally the process is that attackers are constantly mass-scanning the internet using a list of known vulnerabilities, such as missing patches (like in the Microsoft Exchange Server data breach) or misconfigurations (weak passwords, for example). If an organisation is found to have a vulnerability, they then become a target.
So, back to pentesting. Because a testing consultant will use the same tools and methodologies as a bad actor would, you’re getting a true estimation of whether or not the typical opportunistic hacker could get into your network. If the worst were to happen, how much data could they get access to?
The report that comes from a pentest will not only list your vulnerabilities, but rank them in order of severity, giving you a chance to prioritise your risk, and once fixed, give confidence in your security.
Secondly, compliance is a massive factor. Working with many organisations now requires you to prove you’re serious about your security, and pentesting is required for a number of certifications including PCI/DSS (for payment card data), the NHS Data Security and Protection scheme, SOC2 and ISO 27001.
Not only this, but a pentest can help you prevent a breach by identifying issues before they lead to a breach - saving you huge costs in incident response, recovery, potential fines and reputational damage.
A pentest can be carried out in one of three ways:
- Black box - No information is provided to the tester, and no login credentials
- Grey box - Limited information is shared with the tester, usually login credentials
- White box - the tester has as much knowledge of the target as possible, including credentials and often access to the code (if permitted)
Obligatory hacker in a hoodie at keyboard
You need to decide what level of access you want to give your tester. Generally speaking, black box testing is usually more focussed on your perimeter security (how easy it is to get in in the first place), whereas white box testing is more comprehensive of the entire target.
Firstly, scoping of your test is required - where your provider estimates how long it’s going to take to do a thorough examination of your target, and write up a report for you.
Once you’ve agreed on the type of test, handed over info about the target, and decided on how aggressive you want your tester to be, your test will begin.
Let’s say you’re testing a web application. The first phase is basically information gathering. Your consultant will dig through your application and its environments, identifying and mapping your assets, and generally conducting reconnaissance. The purpose of this is to understand the size of the attack surface, and number of possible entry points.
Second, the tester then works to see if there’s any weaknesses in your application. Have you left something unpatched?
Next is the fun part. Attack!!!! This is when your tester actually attempts to breach your application using a vulnerability they’ve identified. Once they get in, typically they will then try to elevate their privileges to see just how much functionality and data they can get access to.
Your consultant will be tracking everything they do and the results of everything they try, in order to pass this info over to you. The best news is (quick humble brag), with OnSecurity pentesting, this happens in real time, so you’re alerted to any issues as soon as your tester finds them.
Once the test is over, your tester will write up your findings into a report that you can share with prospective clients or partners, compliance organisations, or even your mother in law (if she’s into that kind of thing).
Despite penetration testing being a highly-skilled activity, there’s actually nothing to stop anyone with a laptop setting themselves up as a vendor (terrifying, right?)
Ensuring the responsibility of the organisation, as well as the expertise of the testers, is obviously vital. That’s why the CREST accreditation programme provides assurance for buyers that the organisation has submitted all their methods, procedures and policies and been deemed ‘fit for purpose’.
The more knowledgeable a tester is, the further they will be able to reach inside your network on their hunt for vulnerabilities, as well as being able to tailor reporting to any specific needs you have.
Good news! We’ve made it as easy as possible to book a pentest. Traditionally, booking a pentest can be longer and more complicated than writing a 50,000 word essay on how paint dries.
With OnSecurity you can get a quote and book a pentest online in a few clicks - and as little as 60 seconds! We’re designed to work with agile organisations, so we’ve made it as simple as possible to get started with your pentest, with no lengthy scoping questions or inflexibility.
OnSecurity works in hours, not days, so you get a quote based on the actual time your test will take, without any padding or rounding up to the nearest day. Plus, we report as we go - so no waiting around while a tester spends days writing up a report before you can action any findings.
If you’re super speedy on fixing stuff, we’ll also retest any findings for free for you within a week of the end of the test. As we’re CREST-accredited, you can be sure that everything we’re doing has been independently vetted (and we’re not using your Dad’s dodgy mate down the pub who’s just got a new laptop).
Fancy a chat? You can get a quote here or speak to one of our team.