Penetration Testing IT Penetration testing provides a way for you to assess both security risk exposures in your network perimeter, as well as your organisation's ability to detect and respond to a real threat. Penetration Testing F.A.Q. The FAQ provides the answers to frequently asked questions about penetration testing. Q1. What is a penetration test? Q2. What is the difference between a 'black-box' and an 'informed' penetration test? Q3. What is the benefit of a penetration test? Q4. What are the limitations of a penetration test? Q5. Will a penetration test affect the availability of my systems? Q6. Do I need permission from my Internet service provider to conduct a penetration test? Q7. Is penetration testing legal? Q8. How long does a penetration test take? Q9. How much does a penetration test cost? Q10. Who should I engage to perform a penetration test? Q11. How often should I have a penetration test performed? Q12. Am I getting a vulnerability scan or a penetration test? Q1. What is a penetration test? A. These days, the term ‘penetration test’ is used to describe a number of security testing techniques, ranging from simply running an automated vulnerability assessment tool against a target system, to full-blown manual testing by specialist tiger-teams. In essence, a penetration test involves highly technically competent security specialists, using the same tools and techniques as your average ‘hacker’, trying to bypass your security systems in order to gain access to an agreed objective. Q2. What is the difference between a 'black-box' and an 'informed' penetration test? A. A ‘black-box’ penetration test is a term used to describe a penetration test where the tester has little or no prior knowledge about the target system, and is not provided with any assistance from the target organisation during the testing. An ‘informed’ penetration test is a term used to describe a penetration test where the tester if provided with an overview of the target system and can access technical information from the target organisation during the penetration test. An informed penetration test allows the tester to conduct a great deal more testing in a shorter period of time, potentially identifying more security vulnerabilities, but it is not s true simulation of a real attack. The most appropriate method for a penetration test is determined by the desired outcome. Q3. What is the benefit of a penetration test? A. A penetration test provides a controlled environment to achieve a number of possible objectives: identify security vulnerabilities in networks and systems measure the organisation’s ability to detect an attack measure the organisation’s ability to respond to an attack Penetration testing provides a level of assurance to the organisation that processes used to manage the security of networks and systems are both effective and consistent. Q4. What are the limitations of a penetration test? A. Penetration testing by its very nature is not thorough. A penetration test will never identify all security vulnerabilities in a target system. The type and number of security vulnerabilities identified will also be determined largely by the skill set and experience of the individual conducting the testing, as well as the tools being used. It is common for multiple penetration tests of the same systems by different companies to produce vastly different results. Q5. Will a penetration test affect the availability of my systems? A. While most penetration testers take great care to ensure that testing doesn’t interfere with system availability, there can be no guarantees made that availability will not be affected. This is because each and every system is different. There are certain steps that can be taken to limit the risk of system outages on critical systems: penetration testing can be limited to non-intrusive tests only. This type of testing relies on information observed about the system, such as the type and version of operating system, to determine the possible existence of security vulnerabilities, rather than actively trying to exploit them. While this level of testing is less likely to interrupt system availability, it is not as accurate as full testing. penetration testing can be limited to after-hours time, or during periods of the year when small system outages are less likely to cause harm. penetration testing can be carried out against staging or test environments before production environments to assess the likelihood of impacting availability. Q6. Do I need permission from my Internet service provider to conduct a penetration test? A. This depends upon the policy of your ISP. Generally speaking, if your ISP simply provides you with an Internet connection, you will not need permission to conduct a penetration test. It is however advisable, to contact your ISP and inform them that you will be conducting such a test, to avoid potential embarrassing situations. If however, your target systems are physically located at the ISP, then you will need to obtain permission. This is because ISP’s who host customer systems often share one physical system between a number of customers, and will not want your penetration testing activities to affect the other customer’s systems. Q7. Is penetration testing legal? A. As long as you are authorised by your company to engage a penetration test, it is completely legal. Before conducting a penetration test, or engaging a third party to conduct a penetration test, you should make sure you have authorisation. To protect yourself, it is best to get authorisation in writing. Q8. How long does a penetration test take? A. Most engagements take anywhere from one to three weeks, depending on the scope of the assignment. Penetration testing is something that is never complete, and the more time and effort is applied, the more bizarre and obscure the vulnerabilities identified will be. The amount of time (i.e. cost) that should be allocated to a penetration test needs to be commensurate with the benefit from the testing. The longer testing continues, the more time is required to find new security vulnerabilities, and as such, the fewer vulnerabilities are found. The following diagram illustrates the relationship of cost and benefit (i.e. vulnerabilities identified per day) of a typical penetration test: Q9. How much does a penetration test cost? A. The cost of a penetration test is typically determined by three variables: skills and experience of the testers tools used estimated time required to achieve the best cost-benefit The daily rate for penetration testing ranges from $600 to $3,000.00 per consultant, depending on the skills, experience and company. Price alone is not a reflection of skills and experience. Larger organisations typically charge higher daily rates because they have higher overhead expenses. Some medium sized organisations, often those that specialise in penetration testing, may have highly skilled and experienced penetration testers available at much more attractive rates. Q10. Who should I engage to perform a penetration test? A. When looking for a penetration tester, be sure that you are dealing with a reputable and experienced consulting firm. There are many individuals and organisations who profess to be commercial penetration testers, however some of them lack professional experience, testing methodologies and discipline. Make sure that the organisation you are dealing with: can provide references from other customers who they have performed similar work for can demonstrate they have a systematic approach or methodology for testing have a good reputation have the specialist skills required to conduct the penetration testing Q11. How often should I have a penetration test performed? A. Most organisations today typically conduct a penetration test every six to twelve months. The frequency of your testing should be determined by risk. If your organisation would suffer significant harm from a security compromise of your computer systems, then you should consider more regular testing, perhaps even monthly. If you would suffer some embarrassment, but no serious harm, then annual testing might be sufficient. Some penetration testing firms now offer the choice of one-off penetration tests, or on-going periodical testing. An on-going periodical test usually provides much better value for money for organisations requiring more frequent testing. Q12. Am I getting a vulnerability scan or a penetration test? A. The term ‘penetration test’ is used to describe a number of approaches to security testing. You should make sure you understand exactly what your service provider is intending to provide. Some organisations use the term ‘penetration test’ to describe a simply vulnerability scan using an automated tool such as Retina, Nessus or ISS Internet Scanner. While these tools are an essential part of a penetration test, their use alone does not constitute a penetration test. Specialist penetration testers will provide much more value than an automated tool alone. Automated vulnerability scanners are good at identifying known vulnerabilities in operating systems and application, however they are no good at identifying security vulnerabilities specific to your environment, whether it be because of the way your systems have been configured, or because you have a custom-built web application. A penetration test proposal that intends to use specialist skills for manual security testing will often make this very clear. If you are unsure of what component of the penetration test proposal involves manual testing and what component involves automated testing, ask your vendor to clarify in writing before they start the testing. If you have any questions about penetration testing that have not been answered here, please feel free to email them to faq@neocomm.com.au for a prompt response. Home     Corporate Profile     Services     Solutions     Partners     Contact Us