Penetration Testing, Frequently Asked Questions
FAQ: Penetration Testing
Do you publish your prices?
What is a penetration test?
- A penetration test is an interactive security test undertaken to identify security vulnerabilities that are actually exploitable.
- A penetration test is different from a vulnerability scan. A vulnerability scan is automated and is entirely software. A penetration test is conducted by trained, qualified professionals, and uses human interaction and human ingenuity to discover flaws that automated tools often miss.
- Penetration testing is conducted from two primary viewpoints: external and internal. An external viewpoint is in the public IP address space. A test of the server hosting this page, from where you are, would be from an external viewpoint. An internal viewpoint requires testing from inside an organization's private network.
- There are many types of penetration tests, including network penetration tests and host configuration tests, web application penetration tests, wireless network penetration tests, client-server application penetration tests, mobile device penetration tests, and social engineering, to name a few.
- All penetration testing performed by High Bit Security is done by certified information security professionals.
More Information on Penetration Testing:
We received a Penetration Test proposal that was quoted significantly higher or lower than other proposals we received - why is that?
The most costly component of any true penetration testing engagement is the experienced personel and the time they spend performing manual penetration testing. High Bit Security uses an experienced, certified, US based penetration testing team for every engagement. Our single focus on penetration testing means our processes may be more cost effective than others, allowing us to provide high quality as well as reasonable pricing for our customers.
Currently, there is no recognized "standard" for penetration testing, and the quality varies dramatically. Some vendors use only automated scans and sell it as a penetration test. Others offer an automated scan with a manual review of the scan results and call it a penetration test. Some vendors outsource the work to low cost offshore resources, where background checks and certifications are often unreliable.
On the last point, we are not without experience. We have tried off shore resources in the past, in limited apprentice type roles. After all, if the work quality is acceptable and our customers are well served, it makes sense. Of the five fully certified penetration testers we have tried, not one has demonstrated the skills necessary to even qualify as an apprentice on our team. Skills have been so low that it has lead us to suspect the veracity of the certifications we were presented. We will not mention the countries or certifications, nor will we make any definative assertions on the subject, but we will say this: we do not use any off shore resources.
If your goal is to satisfy a compliance mandate, low quality or automated testing can be rejected by auditors and lead to numerous and expensive rounds of repeat testing. If your goal is to satisfy a requirement for a client or potential client, the client may want details about the quality of testing, and may legitimately reject low quality or automated methods. Finally, if your purpose in testing is to secure your organization, these superficial methods of testing are often only marginally better than the vulnerability scans you are probably performing yourself, and can lead to an unjustified confidence in the security of your systems.
If you are pursuing penetration testing to satisfy compliance mandates, High Bit Security will insure that the testing meets compliance requirements. We have specific testing methods and reporting designed for different compliance mandates. For your potential or existing clients, we are happy to share our testing methods with your client, before you engage with us, and we can provide public facing reports that document correction of all faults, but without sensitive details regarding those faults, after your engagement and remediation testing. If your purpose is improvement of your organizational security footing, we provide testing that thoroughly covers network, systems and applications, with significant manual effort and detailed reporting.
If our prices were not reasonable and our methods were not thorough, there would be little or no benefit from publishing either, yet we have been doing so for years. We are not the lowest cost provider of penetration testing, but penetration testing is all we do, we know how to do it well and we are delivering comprehensive, thorough results at quite reasonable prices.
Why contract for a penetration test?
- Every day, valuable data is being stolen, copied and sold without the knowledge of the rightful owners
- Most organizations are unaware of how vulnerable they are to this theft
- Unlike a physical break-in, data theft may go undetected for months - even years
- Best way to protect data is to identify and close the holes and vulnerabilities that exist in the system before they are discovered and exploited
When do you need a penetration test?
- Prior to contracting for breach insurance
- Notice viruses, malware, spyware on workstations
- After implementing significant changes in website or network
- Unauthorized traffic on network noted
- Security audit for HIPAA or PCI-DSS
- After installing new software or other upgrades
- Prior to submission of application for breach insurance
- If you store valuable data and have never had one
My Data is stored in the cloud. Why do I need a Penetration test?
- Software, particularly custom software, is almost always filled with security holes and vulnerabilities. Your cloud provider has no control over your software
- Your corporate environment devices - all-in-one printers, wireless servers, laptops, workstations, modems, are vulnerable and testing is crucial for this environment
What types of systems have you performed penetration testing on?
Testing the network layer (firewalls, web servers, email servers, FTP servers, etc.); the application layer (all major development languages, all major web servers, all major operating systems, all major browsers); wireless systems; internal workstations, printers, fax machines; WAR dialing phone numbers, virtual environments including cloud, internet enabled devices, and more. We have tested law enforcement systems, state and municipal government systems, and private sector systems ranging from online gaming to financial institutions.
What certifications do you have to perform penetration testing?
All of our penetration testing engineers hold industry recognized certifications, such as GSEC, GWAPT, GPEN or CEH. In addition, we also ensure that all of our penetration testers have strong web development backgrounds (often coupled with additional coding backgrounds), as well as networking experience. Our penetration testers are US citizens, and undergo a thorough background check.
We're already performing vulnerability scanning, why should we perform a penetration test?
Vulnerability scans leverage preconfigured pattern recognition, so there are many aspects of a system that will not be scanned completely. Some will not be scanned at all. Penetration testing provides coverage for large number and variety of serious security faults that scanners are incapable of finding and testing.
How much experience do you have performing penetration testing?
Our engineers have thousands of hours of penetration testing experience, and decades of security background.
Can a penetration test break my system?
Our penetration testing methodology is specifically designed to mitigate data loss, downtime and risks to our customers. In cases where exploiting a vulnerability carries a risk to the system, we will document the vulnerability, and report it to the client, but will not pursue the exploit unless our customer asks us to do so.
What is an example of a large pen test engagement you've performed?
We have performed single engagements for clients covering more than 4000 IP addresses and thousands of web pages covering many different systems.
How long does it take to perform a penetration test?
The length of the penetration testing engagement depends on the type of testing, the type and number of systems and any engagement constraints. Typical engagements have an average testing time of 1 - 3 weeks.
How do I schedule a penetration test?
Once the contract is signed and returned to High Bit Security, we will immediately schedule the engagement. Scheduling is typically 4-8 weeks out, so we recommend our customers get their signed contracts in to secure their slot on the schedule.
Why do you request all of the details for the engagement, such as IP addresses, URLs, user credentials - shouldn't you be able to figure all of the information out for yourself, and hack into the systems without credentials?
We are fully capable of testing network, system and application security with minimal information, should our clients desire to incur the additional expense and risk. There are however, real problems with that approach. It increases costs while decreasing effectiveness, and leaves the hackers with significant advantages. This is because legitimate security firms are ethically and legally constrained - we simply can't do some of the things that hackers would do, like attacking one of your corporate partners and then attacking you from the trusted system, or hacking one of your users social networking accounts to see if they use the same password for your application. By asking for complete information, we keep your costs down, ensure thorough coverage and eliminate the hacker advantage by devising legally acceptable tests that insure you are not at risk. The choice of methodology is yours, but we normally recommend this approach because it has the best return on investment for most of our clients.
What makes High Bit Security better at penetration testing than your competition?
The goal of our business process and testing methodology is Return On Security Investment. We provide high quality information security services, guide our customers through the entire process, deliver deep and actionable results, and deliver reports that are easily understood by both management and technical staff.
Initial Communication. You will notice the difference very early in the process. While many of our competitors are engaged in price support activity, asking you to attend WebEx sessions or sending you 20 page marketing slicks, we will ask you for a 30 minute initial scope call. We will identify your needs, ask pertinent questions, and answer your questions. We will not waste your time.
Efficiency Continues. The 30 minute scoping call provides all the information we need, allowing us to facilitate tight deadlines, quickly delivering the proposal. Contract approval secures your place on the schedule. We'll start and conclude testing during the agreed upon timeframe, and will deliver reports within 3 days of window completion.
Reports. The level of clarity and detail provided in our reports enables our clients to begin remediation immediately, and our team is always available to any questions. The reports include what we found, where we found it (with specific examples and screenshots as appropriate), issue summaries and specific details on how to correct the issue. In pertinent cases we provide sample files or scripts to make it easy for developers and administrators to replicate the issue themselves. All of our security engineers have coding backgrounds, enabling us to explain complex coding issues to your developers. Your internal resources will have precisely what they need to quickly deploy corrections.
Remediation Assistance. We will assist you in the correction of any faults. When you advise us the issues are corrected, we will validate that the vulnerabilities are closed.
Our People. This may come as a surprise, but a security certification does not attest to programming knowledge. Most certified industry security professionals have a background in networking, but few have a solid background in production level programming. All High Bit security penetration testers have a production programming background in at least two development languages. All of our penetration testers have solid, real life production development backgrounds, not just a couple of college semesters or theoretical knowledge. Why is this important?
It's hard to test what you don't understand. Almost all information security faults that are not related to configuration or simple logical faults originate in programming code. Penetration testers who are not expert coders are forced to rely on tools to identify and test these faults. In contrast, our penetration testers are capable of hand crafting exploits in several programming languages. They can - and do - make their own tools for custom exploits as needed.
It's hard to find what you don't recognize. It is much easier for our penetration testers to find application faults because they have extensive application development backgrounds. They know the shortcuts, pitfalls and pressures that development teams encounter. Our penetration testers will make intuitive leaps because they are able to "get inside the head" of a developer whom they have never met. It is almost impossible to do that if you have never been a developer.
It's hard to communicate what you don't know. Interpreting a report written by a penetration tester with insufficient development background is frustrating, particularly when issues require explanation. Our reports contain executive summaries, and also include detailed finding reports that focus on the technical details written in a language that your system administrators and developers understand. If you need additional guidance, our penetration testers are always available by phone. You can be certain that a security engineer with a networking and development background can effectively communicate with your technical staff.
We are client focused and committed to the highest Return on your Security Investment. Throughout our process, you will be confident that your security is being handled by the best. You will discover that our team is easy to talk to, easy to understand, efficient and have a wealth of experience in all the right areas. High Bit Security - we look forward to securing your business.
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan is performed by a pre-configured computer program that evaluates your network and applications for vulnerabilities, and produces a report. This report will contain false positives and require interpretation. Vulnerability scanners are good at finding known vulnerabilities but are not very good at identifying logical faults, and often fail to find serious security flaws in custom coded applications. Vulnerability scanning is included with all penetration tests from High Bit Security, but the primary focus of the penetration test is intensive manual testing by our experienced penetration testing engineers. The High Bit Security team advises our clients of what we found, where we found it and specifics surrounding how to fix it. Ultimately, the difference between a vulnerability scan and a full penetration test is that security engineers think, analyze, track, follow up and judge and scanners do not. Reliance on scans alone will almost certainly lead to an insecure posture.
Typically, a vulnerability scan will identify and report some issues as low severity, which will be correctly identified as high / critical when examined in a contextual instance by a security engineer. For example; recently, a scanner reported an email address exposure as "informational". Our security engineer identified a brute force weakness in a web application, determined that the email address was the account name of the network administrator, and ultimately brute forced the password. This issue was reported on the penetration test as a high vulnerability because of the combination with the brute force vulnerability.
A vulnerability scanner is only as good as the configuration. If a scanner is not configured to find a vulnerability, it will not be found. An experienced security engineer, using the context of the system, has the ability to change direction based upon what is uncovered, following leads and problems as they emerge. Example: A recent law enforcement client had a perimeter router that had the lowest access level enabled by default. The scan reported this as a low issue. Our security engineer made an immediate decision to focus efforts there, found additional weaknesses and generated a previously unknown attack. We were able to elevate privileges to the highest level and take control of the perimeter router.
Vulnerability scanners are automated and thus are inherently more dangerous to system stability than manual penetration testing. To compensate, scanners are often configured to run only "safe checks". As a result, scanners miss key elements that should be tested. A knowledgeable security engineer is able to devise safer yet more thorough testing strategies, and find issues that automated scanners often skip for the sake of safety. Example: In a recent penetration test, the scanner had been configured to perform safe checks for buffer overruns and reported an issue as informational. The security engineer performed manual testing of buffer overruns on the customer's Oracle database and discovered that this vulnerability would ultimately lead to a complete system compromise. Clearly, this qualified as a high or critical - not "informational" vulnerability.
Since vulnerability scanners are only interrogating one issue at a time, they cannot see the complete picture. Security engineers, using experience, judgment, reasoning, and skill, are able to correlate seemingly disparate issues. Example: Our client was using a captcha device as added protection on their website login form. This was implemented to bolster a weak password policy, to prevent brute force attacks. However, they were passing the captcha values in a hidden form field. The scanner looked at the form, and the code behind it, and passed the issue because captcha devices are designed to defeat automated tools. The scanner could not correlate the hidden value with the captcha image because it couldn't read the image. The security engineer immediately recognized the "hidden" captcha code, and used this weakness to craft an attack that bypassed the captcha device and ultimately brute forced several accounts.
Vulnerability scanners cannot find logical faults that involve separate processes. A security engineer has no difficulty correlating information across multiple processes. Example: We often encounter integrated email or text message responses, which our security engineers examine as part of their testing. A scanner cannot even see these important processes, and therefore cannot test them.
Vulnerability scanners have no understanding of business logic. The security engineer does, and will interpret results within the context of the business logic. Example: A customer used numbers in a URL parameter; and a vulnerability scan passed this issue because automated manipulation of the values did not result in any indication of access control faults. Our security engineer understood the business logic and correctly identified a serious access control fault that allowed anyone to view confidential account details of others.
If we're already performing vulnerability scanning, why should we perform a penetration test?
Since vulnerability scans leverage preconfigured pattern recognition, there are many aspects of a system that cannot be tested completely (or at all). Penetration testing provides coverage for serious security faults that scanners are incapable of testing, and will definitely improve the security posture of an organization.
Do you hire criminals? Aren't former "black hats" the best penetration testers?
No, and No. Hackers as penetration testers is a common myth. We don't hire criminals, and we don't believe that any reputable security firm should. In the security business, reputation is everything. And High Bit Security has invested years in building our reputation as a firm that can be trusted and relied upon by our clients and referral partners. There is no way we will put that at risk, no matter how talented a "reformed" criminal might be. Our clients trust us to secure the life blood of their business. We take that responsibility very seriously. Our security engineers are all US citizens, with certifications such as GWAPT, GPEN, CEH, and more, who have passed a multi-level background investigation. In addition to penetration testing and network experience, all are fluent in at least 3 programming languages. Because our standards are so rigorous, we also have an internship program, where qualified programmers, with the requisite experience and background, can "learn the ropes" assisting a security engineer, and eventually work up to their certifications.