Penetration Testing, Frequently Asked Questions
FAQ: Penetration Testing
What is a penetration test?
- Most thorough and complete way to identify security holes and vulnerabilities that could be exploited
- A penetration test is also known as an IT security test
- Testing performed by certified security company engineers
- Tests client networks, servers, web apps, mobile platform, wireless system, printers, modems - any technology that may store, process, transmit or receive data that would have value to a cyber-criminal
Why contract for a penetration test?
- Every day, valuable data is being stolen, copied and sold without the knowledge of the rightful owners
- Most organizations are unaware of how vulnerable they are to this theft
- Unlike a physical break-in, data theft may go undetected for months - even years
- Best way to protect data is to identify and close the holes and vulnerabilities that exist in the system before they are discovered and exploited
When do you need a penetration test?
- Prior to contracting for breach insurance
- Notice viruses, malware, spyware on workstations
- After implementing significant changes in website or network
- Unauthorized traffic on network noted
- Security audit for HIPAA or PCI-DSS
- After installing new software or other upgrades
- Prior to submission of application for breach insurance
- If you store valuable data and have never had one
My Data is stored in the cloud. Why do I need a Penetration test?
- Software, particularly custom software, is almost always filled with security holes and vulnerabilities. Your cloud provider has no control over your software
- Your corporate environment devices - all-in-one printers, wireless servers, laptops, workstations, modems, are vulnerable and testing is crucial for this environment
What types of systems have you performed penetration testing on?
Testing the network layer (firewalls, web servers, email servers, FTP servers, etc.); the application layer (all major development languages, all major web servers, all major operating systems, all major browsers); wireless systems; internal workstations, printers, fax machines; WAR dialing phone numbers, virtual environments including cloud, internet enabled devices, and more. We have tested law enforcement systems, state and municipal government systems, and private sector systems ranging from online gaming to financial institutions.
What certifications do you have to perform penetration testing?
All of our penetration testing engineers hold industry recognized certifications, such as GSEC, GWAPT, GPEN or CEH. In addition, we also ensure that all of our penetration testers have strong web development backgrounds (often coupled with additional coding backgrounds), as well as networking experience. Our penetration testers are US citizens, and undergo a thorough background check.
We're already performing vulnerability scanning, why should we perform a penetration test?
Vulnerability scans leverage preconfigured pattern recognition, so there are many aspects of a system that will not be scanned completely. Some will not be scanned at all. Penetration testing provides coverage for large number and variety of serious security faults that scanners are incapable of finding and testing.
How much experience do you have performing penetration testing?
Our engineers have thousands of hours of penetration testing experience, and decades of security background.
Can a penetration test break my system?
Our penetration testing methodology is specifically designed to mitigate data loss, downtime and risks to our customers. In cases where exploiting a vulnerability carries a risk to the system, we will document the vulnerability, and report it to the client, but will not pursue the exploit unless our customer asks us to do so.
What is an example of a large pen test engagement you've performed?
We have performed single engagements for clients covering more than 4000 IP addresses and thousands of web pages covering many different systems.
How long does it take to perform a penetration test?
The length of the penetration testing engagement depends on the type of testing, the type and number of systems and any engagement constraints. Typical engagements have an average testing time of 1 - 3 weeks.
How do I schedule a penetration test?
Once the contract is signed and returned to High Bit Security, we will immediately schedule the engagement. Scheduling is typically 4-8 weeks out, so we recommend our customers get their signed contracts in to secure their slot on the schedule.
Why do you request all of the details for the engagement, such as IP addresses, URLs, user credentials - shouldn't you be able to figure all of the information out for yourself, and hack into the systems without credentials?
We are fully capable of testing network, system and application security with minimal information, should our clients desire to incur the additional expense and risk. There are however, real problems with that approach. It increases costs while decreasing effectiveness, and leaves the hackers with significant advantages. This is because legitimate security firms are ethically and legally constrained - we simply can't do some of the things that hackers would do, like attacking one of your corporate partners and then attacking you from the trusted system, or hacking one of your users social networking accounts to see if they use the same password for your application. By asking for complete information, we keep your costs down, ensure thorough coverage and eliminate the hacker advantage by devising legally acceptable tests that insure you are not at risk. The choice of methodology is yours, but we normally recommend this approach because it has the best return on investment for most of our clients.
We received a Penetration Test proposal that was quoted significantly lower than other proposals we received - why is that?
The most costly component of any true penetration testing engagement is the experienced security engineer - their time spent performing manual penetration testing. High Bit Security leverages our experienced US penetration testing team for every engagement, and due to our streamlined and cost effective processes, we're able to provide aggressive pricing for our customers. We may not be your lowest cost provider of penetration testing, but we are absolutely confident that we are delivering comprehensive and thorough results.
Currently, there is no recognized "standard" for penetration testing, and the quality varies dramatically. Some vendors offer automated scans call it a penetration test. Others offer an automated scan with a manual review of the scan results and call it a penetration test. Still others will opt to outsource their security engineer work to the lowest cost bidder with offshore resources.
If your goal is to satisfy a compliance mandate, this type of testing can be rejected by auditors and lead to numerous and expensive rounds of repeat testing. If you seek to satisfy an important potential client, the client may want details about quality of the testing, and may legitimately reject these methods. Finally, if your purpose in testing is to secure your organization, these superficial methods of testing are only marginally better than vulnerability scans and can lead to an inaccurate belief in the security of your systems.
If you are pursuing penetration testing to satisfy compliance mandates, High Bit Security will insure that the testing meets compliance requirements. For your potential or existing clients, we can provide client facing reports that include details about the scope and breadth of testing, but will not include sensitive details of the testing engagement results. If your purpose is improvement of your organizational security, we provide testing that thoroughly covers network, system and application layers, addressing the latest security threats.
What makes High Bit Security better at penetration testing than your competition?
The goal of our business process and testing methodology is Return On Security Investment. We provide high quality information security services, guide our customers through the entire process, deliver deep and actionable results, and deliver reports that are easily understood by both management and technical staff.
Initial Communication. You will notice the difference very early in the process. While many of our competitors are engaged in price support activity, asking you to attend WebEx sessions or sending you 20 page marketing slicks, we will ask you for a 30 minute initial scope call. We will identify your needs, ask pertinent questions, and answer your questions. We will not waste your time.
Efficiency Continues. The 30 minute scoping call provides all the information we need, allowing us to facilitate tight deadlines, quickly delivering the proposal. Contract approval secures your place on the schedule. We'll start and conclude testing during the agreed upon timeframe, and will deliver reports within 3 days of window completion.
Reports. The level of clarity and detail provided in our reports enables our clients to begin remediation immediately, and our team is always available to any questions. The reports include what we found, where we found it (with specific examples and screenshots as appropriate), issue summaries and specific details on how to correct the issue. In pertinent cases we provide sample files or scripts to make it easy for developers and administrators to replicate the issue themselves. All of our security engineers have coding backgrounds, enabling us to explain complex coding issues to your developers. Your internal resources will have precisely what they need to quickly deploy corrections.
Remediation Assistance. We will assist you in the correction of any faults. When you advise us the issues are corrected, we will validate that the vulnerabilities are closed.
Our People. This may come as a surprise, but a security certification does not attest to programming knowledge. Most certified industry security professionals have a background in networking, but few have a solid background in production level programming. All High Bit security penetration testers have a production programming background in at least two development languages. All of our penetration testers have solid, real life production development backgrounds, not just a couple of college semesters or theoretical knowledge. Why is this important?
It's hard to test what you don't understand. Almost all information security faults that are not related to configuration or simple logical faults originate in programming code. Penetration testers who are not expert coders are forced to rely on tools to identify and test these faults. In contrast, our penetration testers are capable of hand crafting exploits in several programming languages. They can - and do - make their own tools for custom exploits as needed.
It's hard to find what you don't recognize. It is much easier for our penetration testers to find application faults because they have extensive application development backgrounds. They know the shortcuts, pitfalls and pressures that development teams encounter. Our penetration testers will make intuitive leaps because they are able to "get inside the head" of a developer whom they have never met. It is almost impossible to do that if you have never been a developer.
It's hard to communicate what you don't know. Interpreting a report written by a penetration tester with insufficient development background is frustrating, particularly when issues require explanation. Our reports contain executive summaries, and also include detailed finding reports that focus on the technical details written in a language that your system administrators and developers understand. If you need additional guidance, our penetration testers are always available by phone. You can be certain that a security engineer with a networking and development background can effectively communicate with your technical staff.
We are client focused and committed to the highest Return on your Security Investment. Throughout our process, you will be confident that your security is being handled by the best. You will discover that our team is easy to talk to, easy to understand, efficient and have a wealth of experience in all the right areas. High Bit Security - we look forward to securing your business.
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan is performed by a pre-configured computer program that evaluates your network and applications for vulnerabilities, and produces a report. This report will contain false positives and require interpretation. Vulnerability scanners are good at finding known vulnerabilities but are not very good at identifying logical faults, and often fail to find serious security flaws in custom coded applications. Vulnerability scanning is included with all penetration tests from High Bit Security, but the primary focus of the penetration test is intensive manual testing by our experienced penetration testing engineers. The High Bit Security team advises our clients of what we found, where we found it and specifics surrounding how to fix it. Ultimately, the difference between a vulnerability scan and a full penetration test is that security engineers think, analyze, track, follow up and judge and scanners do not. Reliance on scans alone will almost certainly lead to an insecure posture.
Typically, a vulnerability scan will identify and report some issues as low severity, which will be correctly identified as high / critical when examined in a contextual instance by a security engineer. For example; recently, a scanner reported an email address exposure as "informational". Our security engineer identified a brute force weakness in a web application, determined that the email address was the account name of the network administrator, and ultimately brute forced the password. This issue was reported on the penetration test as a high vulnerability because of the combination with the brute force vulnerability.
A vulnerability scanner is only as good as the configuration. If a scanner is not configured to find a vulnerability, it will not be found. An experienced security engineer, using the context of the system, has the ability to change direction based upon what is uncovered, following leads and problems as they emerge. Example: A recent law enforcement client had a perimeter router that had the lowest access level enabled by default. The scan reported this as a low issue. Our security engineer made an immediate decision to focus efforts there, found additional weaknesses and generated a previously unknown attack. We were able to elevate privileges to the highest level and take control of the perimeter router.
Vulnerability scanners are automated and thus are inherently more dangerous to system stability than manual penetration testing. To compensate, scanners are often configured to run only "safe checks". As a result, scanners miss key elements that should be tested. A knowledgeable security engineer is able to devise safer yet more thorough testing strategies, and find issues that automated scanners often skip for the sake of safety. Example: In a recent penetration test, the scanner had been configured to perform safe checks for buffer overruns and reported an issue as informational. The security engineer performed manual testing of buffer overruns on the customer's Oracle database and discovered that this vulnerability would ultimately lead to a complete system compromise. Clearly, this qualified as a high or critical - not "informational" vulnerability.
Since vulnerability scanners are only interrogating one issue at a time, they cannot see the complete picture. Security engineers, using experience, judgment, reasoning, and skill, are able to correlate seemingly disparate issues. Example: Our client was using a captcha device as added protection on their website login form. This was implemented to bolster a weak password policy, to prevent brute force attacks. However, they were passing the captcha values in a hidden form field. The scanner looked at the form, and the code behind it, and passed the issue because captcha devices are designed to defeat automated tools. The scanner could not correlate the hidden value with the captcha image because it couldn't read the image. The security engineer immediately recognized the "hidden" captcha code, and used this weakness to craft an attack that bypassed the captcha device and ultimately brute forced several accounts.
Vulnerability scanners cannot find logical faults that involve separate processes. A security engineer has no difficulty correlating information across multiple processes. Example: We often encounter integrated email or text message responses, which our security engineers examine as part of their testing. A scanner cannot even see these important processes, and therefore cannot test them.
Vulnerability scanners have no understanding of business logic. The security engineer does, and will interpret results within the context of the business logic. Example: A customer used numbers in a URL parameter; and a vulnerability scan passed this issue because automated manipulation of the values did not result in any indication of access control faults. Our security engineer understood the business logic and correctly identified a serious access control fault that allowed anyone to view confidential account details of others.
If we're already performing vulnerability scanning, why should we perform a penetration test?
Since vulnerability scans leverage preconfigured pattern recognition, there are many aspects of a system that cannot be tested completely (or at all). Penetration testing provides coverage for serious security faults that scanners are incapable of testing, and will definitely improve the security posture of an organization.
Do you hire criminals? Aren't former "black hats" the best penetration testers?
No, and No. Hackers as penetration testers is a common myth. We don't hire criminals, and we don't believe that any reputable security firm should. In the security business, reputation is everything. And High Bit Security has invested years in building our reputation as a firm that can be trusted and relied upon by our clients and referral partners. There is no way we will put that at risk, no matter how talented a "reformed" criminal might be. Our clients trust us to secure the life blood of their business. We take that responsibility very seriously. Our security engineers are all US citizens, with certifications such as GWAPT, GPEN, CEH, and more, who have passed a multi-level background investigation. In addition to penetration testing and network experience, all are fluent in at least 3 programming languages. Because our standards are so rigorous, we also have an internship program, where qualified programmers, with the requisite experience and background, can "learn the ropes" assisting a security engineer, and eventually work up to their certifications.