Penetration testing is the best way to know that your organization's data is secure, with no overlooked vulnerabilities or forgotten loopholes to allow your data to be accessed by an outside threat.
Let's break down what steps are involved in penetration testing, how much testing can cost, and why your business should work with a cybersecurity firm to complete the process.
This blog is an excerpt of a recent webinar.
Don't want to read the article? Watch the full recording below.
Be sure to register here for the "Cybersecurity for Business Leaders" Lunch & Learn series!
Table of Contents:
What is Penetration Testing?
Penetration testing is a simulated cyber attack against your network that determines if your network can be compromised by outside threats.
You need to know about the vulnerabilities in your systems. If cybercriminals were to attack you, would they be successful? How would they gain access? What systems would they use, and what type of attack work the best?
A Reconnaissance Exercise
Think of a penetration test as a form of reconnaissance on your own devices. It will help you determine more about your organization. Since this should simulate a real-world situation, your penetration testing team may do some research to find the weakest point in your network.
Consider your industry. If you're in the healthcare space, for example, a pen tester might look for a way to get the PHI and PII you hold. Maybe you're handling transactions every day. This is valuable data that a real cyberattacker would target!
Before an attack even begins, your pen tester is going to do some research across the web. Think about what information your company shares. Do you have a company story on your website with details about your industry? What about social media? Does your business share things on LinkedIn? Attackers are going to be looking for any details they can find about your C-suite and other important players at your company.
After some recon, you can expect the pen testers to go very slowly. In the real world, an attacker could take days moving slowly through your system to avoid setting off any alarm bells. A good penetration test will simulate that.
Keep in mind that your in-house cybersecurity team should have no idea this is happening. This will give you real results to see how quickly they can spot any security issues and respond appropriately.
A Scan and Analysis of Findings
Analysis of pen test results can help you save time and money by narrowing your focus to your vulnerable systems. You can learn what types of attacks you'd be vulnerable to in the real world.
A cybercriminal might find that you're running Microsoft SQL, so they would attempt to attack SQL. Maybe some of your endpoint devices are running an outdated operating system, or are Linux-based machines. These are valuable pieces of information, both for you and would-be attackers.
A Means of Validating Security Control Deployment and Effectiveness
In cybersecurity and regulatory compliance programs, money is spent to develop, deploy, and implement a solution. After implementation, it can be hard to know if the solution is producing the desired results. Pen testing is the perfect way to know and show verifiable data proving that your organization is getting the ROI needed.
The ugly downside to this is, of course, you may find that your solutions AREN'T working out as intended. This is fairly common, especially in large organizations, where a tool is never fully implemented or isn't maintained properly. Something to keep in mind when running a penetration test!
A Roadmap to a Better Cybersecurity Posture
Pen testing obviously offers a roadmap to a better cybersecurity posture. If you know where your cybersecurity vulnerabilities are, you can implement the proper fixes to remediate the problems. It might be as simple as a software configuration change, or it could mean re-securing your entire network. Either way, you'll know the steps you need to complete once a proper penetration test is complete.
Why is Penetration Testing Important?
Let's split penetration testing importance into two categories that often get mixed together: Security and Compliance.
Security asks, "How secure is this?"
Compliance asks, "How likely is this to pass an audit?"
Both of these are important, and there's overlap between the two, but they have different sets of results, functions and purposes.
The Importance of Penetration Testing for Cybersecurity
Visibility of exploitable weaknesses: Often in business, vulnerability tests will show where your weaknesses are, but due to budget or staffing limitations, you simply can't cover every single vulnerability. A penetration test can show what vulnerabilities are visible and can be exploited externally, meaning they absolutely must be addressed.
Calculate impact to business: Penetration testing can help you calculate, in real dollars, what a cybersecurity attack would cost your business. Maybe an attack will take you down for three days. What would that downtime cost you? Would you lose sales? Potentially lose customer data requiring reimbursement? Put actual dollar figures on these numbers.
Test remediation effectiveness: Has there been a past cybersecurity incident at your business? Maybe your team has addressed some known security vulnerabilities? The best way to prove their effectiveness is to complete a penetration test.
The Importance of Penetration Testing for Compliance
Contractual or insurance requirement: Penetration testing can be a key requirement for those signing up for cyber insurance or meeting an industry-specific regulatory compliance standard. Most insurance firms require an annual third-party pen test. An MSP like Ntiva can take care of this for you!
Justification for funding: Sometimes we find that executives are less willing to spend money on cybersecurity after meeting regulatory compliance or cyber insurance standards. Penetration testing can give you the leverage you need to justify the extra funds, by showing exactly where the weak spots are and how they can be exploited.
Types of Penetration Testing
Black Hat Testers/Black Box Testing
Black hat or black box testing involves bringing in someone who has no knowledge or visibility into the environment. Black hat penetration testers can, of course, use search tools and crawl the internet for some basic business information, but they don't know what the network topology looks like.
Black hat testing is the most realistic version you can do. However, because of its realism, it won't necessarily yield the best results. This is simply because of detection software. These tests will set off alarms in a SOC and on firewalls and intrusion detection programs.
Pros: Most realistic intrusion test
Cons: Usually caught fairly quickly
Gray Hat Testers/Gray Box Testing
Gray hat testers are the middle ground. These people will have enough knowledge about your environment to complete a successful test. You might have to tell them about your network topology to ensure everything is tested fully.
I consider gray hat testing fairly realistic because these testers have enough information to test out everything you've put in place, and see if it's really as secure as you think it is!
Chances are, gray hat testing will still set off SOC and firewall alarms. I recommend involving your SOC and being open about the fact that you're going to be testing. "We know we're going to set off SOC alarms, but let them go to see what they're able to do."
Pros: Middle ground, good realistic testing of your network
Cons: Will still set off SOC alarms, may need employee involvement
White Hat Testers/White Box Testing
White hat testing, as you'd expect, is the exact opposite of black hat testing. In this situation, you give the testers as much information as they want or need. Share every detail. This is going to be the least realistic test, but it's also going to be the most valuable. Every internal control and account will be tested.
White hat testing allows you to test the worst case scenarios that keep you up at night. What if an administrative account is hacked? Would your cybersecurity infrastructure keep your data safe?
In my opinion, white hat testing is the best option because it's the most thorough. The goal of this testing should be to test your network from all angles. In the real world, most attacks happen from compromised user accounts. You need to test your password complexity requirements, MFA setup, and phishing prevention training.
If you're really wanting to know how secure you are and what you can do to improve, you're going to need a white hat test. You'll receive sometimes hundreds of pages of suggested corrections, which can be discouraging, but now that you have the information, you can start making positive changes to your infrastructure!
Pros: Most thorough, provides complete results
Cons: Can require extensive follow-up corrections
Penetration Testing Issues and Limitations
There are a few common penetration testing issues and limitations to address before you begin.
The possibility of causing harm to systems: Simulating a cyberattack means potentially breaking something in your network. You need to be prepared to fix it quickly.
Knowing what you will be testing against: Specify exactly what systems are being tested and what tools are being used to test.
Determining what you have visibility and connectivity to: Where is this pen testing being simulated from? Is it testing only your outward-facing endpoint devices?
Scheduling: This can generally be a hassle because most of the time, people want pen testing scheduled for off-hours, but this make the testing less accurate than a real-world scenario!
Creating a "Rules of Engagement" (ROE) document: ROE documentation is an absolute requirement. Never do a penetration test without it. This document outlines what is being tested, when it's being tested, who is testing it, and most importantly, what will be done is something goes wrong.
How Much Does Penetration Testing Cost?
In the most generalized of terms, you can expect to spend anywhere between $2,500 and $100,000 for a complete penetration test. There are several reasons for such a wide pricing window!
In-house vs. Outsourced
Simply put, in-house testing is going to cost more for a small to medium sized business. You'll need to pay your testing employees (sometimes this includes some hefty overtime), along with paying for the right testing tools. While there are some great free open-source pen testing tools, you get what you pay for!
Some large organizations employ a full-time in-house cybersecurity team. These businesses can obviously save money compared to outsourcing.
Outsourcing penetration testing typically costs less and comes with the peace of mind knowing that these outsourced teams will bring the right tools and knowledge to complete a full test without any extra fees or complications.
The cost of your tester's time will vary greatly depending on their skill and knowledge level. Do you want to pay for a beginner or an advanced tester? When you start adding layers like network complexity, web applications, and large databases, you're getting into advanced territory, and you're going to pay more for that resource!
The type of testing involved with your business will change the amount of hours required to complete the effort and therefore affect the cost you pay. How stealthy do you want to be? How long do you want the test to take? This involves tying up resources for a longer time, and will cost you more, but it's the only way to know you're getting realistic results.
Balancing cost with necessary time to completion is the biggest challenge for an organization. You want to spend enough to justify your time and effort and ensure you're getting complete and realistic results, but after a certain amount of time, you're simply throwing money away for no new results. This is another strong case for outsourcing. A solid consultant will be honest about the time required, and bill you accordingly.
Above all, business size may impact the cost of pen testing more than anything. Small businesses obviously won't come near the top price range, but large enterprises could easily spending six figures on a thorough and fully documented pen test session. Five to ten professionals, each with ten to fifteen years experience with the required security tools, working for multiple weeks in a business with thousands of employees will cost a pretty penny!
Working with an MSP like Ntiva, your business will receive a fully documented proposal showing what will be tested and how much it will cost. If you come to the table knowing how much you're willing to send, an reputable outsourced IT firm will work with you to help prioritize what needs tested within your budget.
Does Your Business Need Penetration Testing Services?
Whether it's required for compliance or just a step in your security measures process, penetration testing will show you where the vulnerabilities lie in your network, and will enable you to take the proper steps to keep your data safe.
Interested in learning more? Reach out to us to see if Ntiva's penetration testing services are right for your business!