What is Penetration Testing?

Penetration Testing explained by Aptive a UK Penetration Testing Company
with CREST & OSCP certified consultants

What is Penetration Testing?

Penetration testing, also known as pen testing, is an authorised attack simulation against an organisations network or applications identifying vulnerabilities and security issues.

Vulnerabilities discovered during penetration testing are exploited confirming the severity of the issue and compromised machines can be used to gain access into an organisation identifying the level of access potential attackers could obtain. What is Penetration Testing?

Penetration Testing Summary:

  • Authorised attack simulation
  • Identifies vulnerabilities
  • Identified vulnerabilities are exploited (safely)
  • Privilege escalation is performed
  • Advancement (pivoting) is used to assess the level of data an attacker could access
  • Discovered vulnerabilities are used together to exploit higher severity issues

Penetration testing is typically performed against a companies servers, web applications, external network infrastructure and mobile applications. The testing process is manual with the use of industry standard commercial and open source tools to assist the testing process. Once a vulnerability has been successfully exploited, a tester may use the machine as an entry point to access other machines within the network, gaining access to data that would normally be protected by firewalls or requiring higher privilege level accounts. Penetration testing helps identify the potential risk factor by identifying the level of data a potential attacker could access.

Penetration testing companies

Aptive, a UK Penetration Testing Company

Aptive are a passionate UK based penetration testing company, providing cost effective pen testing services. We help our clients improve security and remain compliant with regulatory compliance standards such as ISO 27001 and PCI DSS.

We strive to meet the challenging report delivery turn around demanded by our clients for regulatory and compliance requirements.

Why Perform a Penetration Test?

Often companies are unaware of existing vulnerabilities within applications or infrastructure that a potential attacker could successfully exploit, breaching a companies confidential data and damaging brand integrity. Penetration testing discovers and confirms vulnerabilities exist and provides clear instructions allowing your company to fix the discovered security issues.

  • Compliance – Various regulatory compliance standards such as ISO 27001 and PCI DSS require a penetration test annually and after significant infrastructure changes
  • Identify Vulnerabilities – Regular testing identifies security issues and weaknesses within a companies applications and infrastructure
  • Cyber Security Risk Assessment – Understand the level of risk that currently exists for your company, testing identifies and prioritises security risks
  • Test Controls – Execute a real-world attack, testing your network security defences
  • Detect New Vulnerabilities – New security vulnerabilities are publicly exposed every day, regular testing will help identify if your company is vulnerable.
  • Fix Security Holes – Our reports document clear fix instructions for discovered security issues and vulnerabilities

Cyber security testing performed by OSCP & CREST certified penetration testing consultants

Benefits of Penetration Testing

Vulnerability Management

Penetration testing provides a severity ordered report, documenting vulnerabilities that are proven to be exploitable, removing false positives from the equation. Allowing your organisation to proactively identify which vulnerabilities are critical and which are less critical or false positives.

Avoid downtime and Breach costs

Network downtime caused by a data breach can cost up to £3 million, with the average cost of a breach costing £36,500. Pen testing allows your organisation to help identify exploitable vulnerabilities proactively before they are exploited by a malicious attacker allowing you to intelligently plan remediation and give priority to critical and high level findings.

Meet Regulatory and Compliance Standards

Performing a penetration test helps companies and organisations address the general auditing requirements for PCI DSS. Testing also helps address ISO 27001 requirements by obtaining an organisations exposure to vulnerabilities and providing measures to remediate discovered issues.

Preserve Brand, Corporate image & customer confidence

Data breach, compromised accounts and exposed external data cost money and can negatively affect brand image and sales. Penetration testing helps identify and fix vulnerabilities that could be used to exfiltrate confidential, sensitive and personally identifiable information.

Why use Aptive

Certified Penetration Testers

Testing performed by OSCP certified and CREST registered testers.

Free Retesting

Free retesting on discovered security issues.

Proven Testing Methodology

Aptive performs security testing based on the OWASP testing methodology.

Easy to Understand Reports

Discovered security issues in severity order with remediation instructions.

Fixed Price Proposals

Transparent costs and fixed price proposals, giving you peace of mind.

Custom Penetration Testing

Custom Testing tailored to your business requirements.

Vulnerability Assessment & Penetration Testing, What’s the Difference?

What is a Vulnerability Assessment

Typically a vulnerability assessment is an automated scan that identifies vulnerabilities but does not exploit them, because of this limitation a vulnerability assessment report often contains false positives. As the attack (exploitation) phase of testing is missing from vulnerability assessment, privilege escalation, advancement (pivoting) and chaining vulnerabilities together are also absent from a vulnerability assessment.

Penetration testing verifies the existence of a vulnerability by safely performing exploitation, a vulnerability assessment detects the vulnerability but does not confirm if the vulnerability is exploitable. During a manual vulnerability assessment the consultant will gather as much evidence as possible to support the vulnerability discovery, but no attempt to exploit the vulnerability will be made.

As no targets are exploited it’s not possible to perform pivoting, data exfiltration or privilege escalation on a vulnerability assessment. Due to this limitation assessing the impact of a breach and what data a potential attackers may gain access to are also not part of a vulnerability assessment.

What is Vulnerability Assessment and Penetration Testing (VAPT)?

Vulnerability Assessment and Penetration Testing (VAPT) combines both Vulnerability Assessment and Penetration Testing to provide the benefits from both types of vulnerability testing.

How Much Does Penetration Testing Cost?

A penetration test requires careful scoping in order to provide an accurate cost, however we list our service costs for smaller more common pen tests, for pricing information see our costs page. Our penetration testing services are performed using manual industry-approved pen testing methodologies by experienced consultants who are both CREST and OSCP accredited.

How often should you perform a Penetration Test?

Testing should be performed on a regular basis to ensure newly discovered threats and vulnerabilities are discovered and remediated before any potential attacker detects and exploits them in the wild. In addition to regular security assessments demanded by regulatory and compliance standards, network security audits should also be completed when:

  • New changes to network infrastructure
  • External servers or applications are deployed (including cloud / external servers)
  • Significant upgrades or modifications to infrastructure or applications
  • At new office locations
  • After the company acquires other companies (including mergers)
  • After security patching to ensure applications and infrastructure are no longer vulnerable
cyber security breach cost why penetration tests required
TypeDefinition
Web Application TestingA deep dive manual security assessment of a web application identifying security issues and vulnerabilities.
Mobile Application TestingA deep dive manual assessment of a mobile app, testing is typically dynamic (conducted while the application is running) however apps are typically de-compiled and tested for reverse engineering.
Infrastructure (Network) TestingA network penetration test performed against an organisations infrastructure, identifying security issues and vulnerabilities within servers, firewalls, network hardware and desktops.
External Penetration TestingA network penetration test conducted from outside of the organisations network infrastructure, the most realistic simulation of a real-world attack exposing security issues that could lead to a compromise or a breach.
Internal Penetration TestingAn internal assessment of an organisations network infrastructure, simulating inside attack.

There are two main types, application penetration testing and infrastructure (network) penetration testing, these are defined below.

What is Application Penetration Testing?

Application penetration testing, typically performed against mobile or web applications, a deep dive against an application identifying security issues and vulnerabilities. For more information see web application penetration testing and mobile application penetration testing.

Types of Application Penetration Testing:

Aptive’s services definitions are below that should help your company identify what security assessment service you require.

Infrastructure (Network) Penetration Testing

A network security audit against your organisation simulating a real-world attack, testing is conducted internally from within the network testing your companies external defences against attack or internally to simulate insider threats.

Why Perform Network Security Testing?

A network penetration test allows an organisation to test it’s network against attack in a controlled environment carried out by a professional cyber security consultant. Helping ensure data integrity and assisting your internal teams understand the identified security issues.

Network Pen Testing Summary

  • Focuses on network and infrastructure
  • Identifies issues within servers, firewalls, network hardware and desktops

Web Application Penetration Testing

Web application penetration testing is a point-in-time security assessment of a web application and web server. The web application assessment is a consultant lead in depth, deep dive manual test that focuses on web application security issues within your web applications and provides clear fix instructions, allowing your team to resolve discovered security issues.

Web App Penetration Testing Overview:

  • Information Gathering
  • Web Server Configuration Security Testing
  • Identity Management Testing
  • Authentication Testing
  • Authorisation Testing
  • Session Management Testing
  • Data Validation Testing
  • Error Handling
  • Weak Cryptography
  • Logic Flaw Testing
  • Client side testing

Mobile App Penetration Testing

A mobile app penetration test is a point-in-time security assessment of a mobile app and web server. The mobile application assessment is a consultant lead manual test that exposes security issues within your mobile applications and provides clear fix instructions, allowing your team to resolve discovered security issues.

Mobile App Penetration Testing Overview:

  • Data Storage Testing
  • Cryptography Testing
  • Authentication Testing
  • Session Management Testing
  • Testing Network Communication
  • Testing Platform Interaction
  • Testing Code Quality & Build Settings
  • Error Handling
  • Tampering & Reverse Engineering
  • Testing Anti-Reverse Engineering Defences
  • Logic Flaw Testing
  • Client side testing

Internal and External Penetration Testing Definitions

External Penetration Testing

External penetration testing, a network penetration test conducted from outside of the organisations network infrastructure. The network is assessed with the same set of conditions a real-world hacker would have, making it the most realistic simulation of a real-world attack exposing security issues that could lead to a compromise or a breach.

Why Perform an External Penetration Test?

Identify security issues that are exposed to external attackers from the Internet, helping ensure data integrity and preventing unauthorised access.

External Pen Testing Summary

  • Conducted externally, from the Internet
  • Realistic simulation of a real-world attack
  • Penetration test assesses issues at the network / infrastructure level

Internal Penetration Testing

Internal penetration testing, an internal assessment of an organisations network infrastructure. Exposing security issues and vulnerabilities that are exposed from within the network.

Internal Pen Testing Summary:

  • Conducted internally, from within the corporate network
  • Realistic simulation of a insider attack
  • Penetration test assesses issues at the network / infrastructure level

Tested Web Apps Found Vulnerable

Trustwave’s 2015 Global Security Report.

Large Companies Reporting Breaches

BIS 2015 Information Security Breaches Survey

Increase In Successful Cyber Attacks

CYREN’s 2015 Cyberthreat Yearbook Report.

Tested Mobile Applications Found Vulnerable

Trustwave’s 2015 Global Security Report.

Grey, White & Black Box Pen Testing

What is black box pen testing?

Black box testing is conducted with no prior knowledge of the target network / system or application. It’s useful for assessing what is possible with the same set of conditions a real-world attacker would have. Making it the most realistic simulation of a real-world attack, the trade off being the consultant running the assessment typically needs to spend longer at the information gathering and enumeration stage gathering data.

Black Box Testing Summary:

What is White Box Pen Testing?

White box testing is conducted with prior knowledge of the target and potentially client side access to the network, system or application. It’s useful for assessing and verifying attack vectors quickly using source code and or backend access to the target. It’s the least realistic simulation of a real-world attack, as the consultant typically has more information than a normal attacker would have allowing for faster discovery and verification. The trade off being some issues raised may not be exploitable in the wild, due to the consultant having more knowledge, however often black box tests are limited by the time the consultant has to conduct the assessment, making a white box or grey box (see below) a more attractive option.

White Box Testing Summary:

What is Grey Box Pen Testing?

Grey box testing is conducted with “some” prior knowledge of the target, a middle ground between white and black box testing. You can give the consultant some knowledge to save him time, but not as much access as a white box test would provide to help the assessment remain realistic. A web app penetration test is a good example of a grey box assessment, accounts and some knowledge of the backend database might be provided but access to the applications source code typically is not. It’s a fairly realistic simulation of a real-world attack, as the information provided to the consultant could “generally” be obtained an attacker with more time.

Grey Box Testing Summary:

White, Grey & Black Box Testing: Pros and Cons

The table below provides a summary of all the testing types:

TypeSummaryProsCons
Black boxAssessed with no prior knowledgeMost realistic attack simulationMay take more testing time
White boxAssessed with prior knowledgeSaves time, more issues may be discoveredLeast realistic attack simulation
Grey boxAssessed with "some" prior knowledgeMaximise testing time while remaining fairly realisticInfo provided could still make the test unrealistic

Penetration Testing Methodology Step-by-step

Below is an overview of Aptive’s approach when performing a pen test, you can contact us for our detailed methodology document.

Discovery / Reconnaissance

Discovery takes place before any testing is conducted, the process involves collecting as much information about the company or application as possible. The information gathered at the discovery stage of testing is used to help identify weaknesses directly or provide information that can help with later stages of testing. Typically all publicly available information is enumerated such as:

  • WHOIS
  • Github
  • Pastebin
  • DNS
  • Web forums
  • Email addresses
  • Search engine recon

Network Mapping / Enumeration

In scope addresses are manually enumerated for useful information such as services and versions.

Service Enumeration

As much information as possible is gathered / enumerated from each exposed service.

Vulnerability Assessment

After enumeration of the server(s) / network a Vulnerability assessment is completed, helping identify known public vulnerabilities. This process helps identify information that can be manually assessed in the next step.

Password Testing

Depending on client requirements, discovered forms or password hashes are tested using the latest password recovery techniques, helping identify if current password policies are sufficient.

Vulnerability Research

Services revealed at the enumeration and vulnerability assessment stage are researched for public exploits and or known exploit methods.

Manual Penetration Testing

Discovered services are manually and safely tested or exploited to confirm if they are vulnerable.

Exfiltration

Successfully compromised machines are locally enumerated for valuable data, if possible (scope permitting) user privileges are escalated to admin root. Screenshots of account privilege level or discovered data are taken for evidence.

Pivoting

Compromised machines are used to route traffic, allowing the pen testing consultant to access the internal network or other machines / network subnet. This demonstrates the risk of a potential breach and how far an attacker may get within the target companies network.

Reporting

All discovered security findings are documented in severity ordered report with clear concise remediation instructions and their associated risk and impact.

Retesting

All our security testing services come with free retesting on reported findings.


  1. Scoping

    Working with you to identify all systems / applications that need testing.

  2. Testing

    Security testing is completed by our CREST accredited team, following our internal testing methodology.

  3. Reporting

    Delivering a clear easy to understand severity ordered report, detailing identified issues and providing clear and concise remediation steps.

  4. Debrief

    Further explanation and demonstrations of vulnerabilities / exploits.

  5. Retesting

    Security issues identified within the report are retested for free.


Penetration Testing Quote

Sources: