Today I want to discuss (and hopefully clarify) some recent confusion I have been observing around pen testing (penetration testing) requests. On one hand, we are seeing more and more requests for this type of security service, which is a great thing. It means cybersecurity awareness is growing, and people are looking to take the next steps to ensure that they aren’t the next headline about a network breach. On the other hand, we are also starting to see the term “pen testing” used as a catch-all for a few different security services.
First, a couple of definitions…
Vulnerability Assessment (VA): This is typically an automated scan of network equipment that identifies and reports on theoretical vulnerabilities in things like computer operating systems, installed applications, websites, databases, network services, etc. In plain terms, if we imagine that your application or network is a locked door, a vulnerability assessment tries to identify all the possible locks that exist on the door.
Penetration Test: Generally speaking, this is an authorized attempt by an ethical hacker (or Red Team) to exploit identified weaknesses (or vulnerabilities) in order to gain access to a network, an application or an organization. In other words, a penetration tester has a big bag of “keys” (i.e. tools, techniques, and procedures) and they will attempt to open each theoretical lock or vulnerability with their “keys”.
Now, back to some recent observations…
One of the first things we do at CyberHunter is to try and understand what our clients really mean when they say “I need a pen test”. Usually, the request falls into one of two camps:
Scenario #1: “We have a web application and one of our biggest clients need us to get a 3rd party pen test performed for their risk team”.
Scenario #2: “We are looking to test and improve our overall cybersecurity posture and we need an ethical hacker to try to break into our network.”
These are generalizations, but Scenario #1 is actually MOSTLY a vulnerability assessment, followed by a blend of automated and manual testing that looks for obvious configuration flaws or vulnerabilities that can be exploited without too much effort. The main goal of this type of test is to get a remediation report on the issues that let you harden your website, application or network. This type of testing could also be considered an audit of sorts, particularly when a specific set of metrics are used for compliance measurement (e.g. PCI-DSS compliance).
Scenario #2, however, is a more traditional penetration test. This type of pen test (also called a Red Team exercise) simulates an adversarial role and is a far more realistic way to test the security readiness of an organization. This testing covers exploitation attempts against People, Process, and Technology. It can involve a significant amount of social engineering and usually triggers active security controls and countermeasures inside the operating environment. These tests will additionally assess internal Blue Team (the defensive team) responsiveness and/or process in the event of an intrusion detection.
Whether you need a Scenario #1 or Scenario #2 engagement, at CyberHunter, we are very happy to see the industry taking proper steps towards a well-balanced cyber hygiene program. Contact us at firstname.lastname@example.org to take those next steps.