Choosing the right penetration testing provider can be critical to the success of a security program.
Imagine spending thousands of dollars and weeks of time on a PCI penetration test, only to find out come audit time that the test does not meet PCI requirements. This compliance failure can mean monetary penalties, lost time dealing with remediation, and even higher liability burdens.
Imagine you get breached through a vulnerability you knew about. A penetration test provider had identified the flaw, but the report was overly technical, so your executive leadership did not understand the underlying risk. Your job and reputation are suddenly on the line.
With TRUE's Boardroom-Ready and Audit-Ready Penetration Tests, you can sleep easy knowing your penetration test will stand up to an audit and executive leadership will understand the importance of taking action on the findings.
Say goodbye to penetration test providers who don't understand your compliance requirements and aren't invested in your long-term success.
With TRUE's free Penetration Test Buyer's Guide, you can easily weed out the pretenders from the providers who truly understand your challenges and are ready to partner with you.
Step 1. Does the penetration test provider understand your compliance requirements (e.g. PCI, HIPAA, FFIEC, NERC CIP, DFARS, FISMA, SOC2, etc.)?
Step 2. Can the penetration test provider deliver a boardroom-ready report?
Step 3. Does the penetration test provider include remediation validation?
Penetration Test Attack Targets
Test your network from the inside and outside. What does you network look like to an attacker on the Internet? Are the publicly accessible services you offer vulnerable? An external network penetration test will help you identify these weaknesses. What happens when (not if) an attacker gains a foothold inside your network through a compromised workstation or rogue device? Are your internal defenses sufficient to protect your valuable assets? An internal network penetration test will help you answer these questions.
For companies with a significant software-as-a-service (SaaS) product or a critical mobile application, an exploitable vulnerability in one of these platforms can mean a significant impact to the business. TRUE tests web and mobile applications from a variety of user roles including the unauthorized attacker, standard user accounts, and semi-privileged accounts. Can a user from Company A access the data from Company B? Can a non-privileged user access privileged functionality? Are there ways to bypass authentication entirely? TRUE answers these questions for companies and validates the logical security controls that are baked into these apps. TRUE can also perform source code analysis to ensure a more complete coverage of the application.
People are notoriously weak links in cyber security. On average we see a 13% click-through rate in our targeted email phishing campaigns where TRUE crafts a custom phishing email and landing page that appears to be legitimate. It is up to your users to identify the scam and stop short of providing their credentials or compromising their system. TRUE offers a full suite of social engineering campaigns from phishing to vishing (telephone equivalent of email phishing), and physical assessments where we attempt to obtain unauthorized access to a secure area. Our success rates are even higher with vishing and physical social engineering. When is the last time you tested the effectiveness of your security awareness campaigns?
External Versus Internal Network Penetration Testing
What to Test on the External Network? External network penetration testing simulates attacks from the perspective of an Internet attacker. We recommend that an organization includes their entire public IP address space in the scope. Using this information, the penetration tester can perform a discovery scan to identify all active systems connected to the Internet, even ones you may not be aware of. We often see significant risks related to systems that the organization did not know were active on the Internet.
Should I Also Test the Internal Network? If you are only pen testing your external network, you are not getting a complete picture of risk. Many breaches begin with a compromised workstation, a rogue network device, or an infected USB drive. These threat vectors completely bypass your external firewall, so you need to be testing from within your internal network. Internal network penetration testing helps you answer the question, “So what could an attacker do with internal network access?” Networks are often just like M&Ms; once you get past the hard candy shell, they are soft and gooey on the inside. In two recent penetration tests we found an insecure printer on the internal network that gave us domain administrator access to a network. How would you identify this risk if you only test your Internet perimeter? Security is all about layered defense. Yes, we need a hardened perimeter, but once inside it should be difficult for an attacker to escalate privileges and move around the network. A penetration test should be used to help harden the internal network.
Authenticated Versus Unauthenticated Penetration Testing
Most penetration tests are conducted from an unauthenticated perspective. The scenario being tested is, “Don’t give me any access, and I’ll see if I can break into your network or application.” What this scenario fails to recognize is that authenticated users often present a significant threat to your organization.
Consider the user who falls for a phishing scam and tells the bad guy their credentials. Consider the user who clicks on a malicious link and malware is able to execute with the privilege of the victim user. Consider a malicious insider who uses their account to attempt to gain unauthorized access to data.
Organizations should evaluate the risk that authenticated users pose to their organization. Organizations should be able to answer the question, “What could happen if a malicious individual is able to gain access to a valid account?”
Penetration testing can be conducted from both an authenticated and an unauthenticated perspective. Typically, unauthenticated testing will be conducted first, followed by authenticated testing. Testing from both perspectives will give your organization a more complete picture of its vulnerability to attack.
How Often to Conduct a Penetration Test
A penetration test report represents the state of security at a given point in time. Networks and applications are constantly changing. New vulnerabilities are discovered every day, and the threat landscape changes rapidly. By the time you receive your penetration test report, it could already be out of date. There is no one-size-fits-all answer to how often a penetration test should be conducted, but you should plan for periodic penetration testing.
Organizations should assess their unique environment and their risk tolerance to determine pen testing frequency. An organization with a high rate of change in its network and applications should conduct more frequent penetration tests than an organization with a mostly static network. An organization with strong centralized system configurations can generally conduct penetration tests less frequently than an organization that lacks centralized control. An organization that is a higher-profile target should test its networks more often.
The PCI DSS requires penetration testing annually and upon significant change. Even for organizations that are not bound to the PCI DSS, we often see penetration testing performed at least on an annual basis.
Want our free Penetration Test Buyer's Guide?
Download our free Penetration Test Buyer's Guide to make sure you check all the boxes on your next penetration test.