Last Updated on December 2, 2019
There are basically three levels of network penetration testing, plus a complementary “fourth level” of network security architecture review:
1) Security Assessment (Validation)
This level of testing is vulnerability-centric. Heavily utilizing automated toolsets, the test starts with a vulnerability assessment and is followed by a manual review of any findings to eliminate “false positives.” These automated scans take up to several hours, and can search for tens of thousands of known vulnerabilities. This introductory level of penetration test offers a report focused on vulnerabilities in your network security posture.
2) CREST-Aligned Penetration Test
This level of test assesses the security of your network infrastructure by simulating an attack from malicious outsiders and/or insiders to identify attack vectors, vulnerabilities and control weaknesses. Penetration testing involves primarily manual testing techniques that are supported by automation and attempts to exploit discovered vulnerabilities. This often includes open source intelligence gathering (OSINT) by passive, semi-passive and/or active means, exposed applications (unauthenticated), and potentially social engineering (people) attack vectors as well.
Overall, the scope of a penetration test engagement is significantly larger than automated scanning alone. Its goal is to evaluate your network security posture and risk profile as seen by an intentioned attacker during the time available (typically a week or more). This level of penetration test meets or exceeds the minimum requirements for PCI-DSS, FedRAMP, CREST, and other regulations. Reporting follows a narrative style to allow you to “see” how the attacker thinks.
3) Red Team Engagement
Organizations with mature security programs with professional staff dedicated to defending against cyberattacks can take part in “red team” engagements, where the penetration testers (ethical hackers) play offense and the security staff play defense. This dynamic, highly targeted form of penetration testing leverages “real-world” attack scenarios designed to test your detection and response capabilities. A red team engagement isn’t about pinpointing your vulnerabilities—it’s about gaining access by any means available to the sensitive data you’re trying to protect and your ability to detect and defend the attack.
4) Network Security Architecture Review
Network infrastructure is always evolving, and not all changes are made with security foremost in mind. This results in “temporary” workarounds, deviations from best practice and other changes that compromise security and diminish the effectiveness of security controls.
While the above three types of network analysis involve some form of penetration testing or vulnerability scanning to identify weaknesses or gaps in controls, a network security architecture review systematically examines the network topology and segmentation, network security technology (e.g., firewalls, IDS/IPS) and controls to evaluate how well these protect critical information assets and interconnections in line with business and security objectives.
To perform a network security architecture review, security experts will need to interview key staff so they can understand business goals and control objectives, applicable regulations, and “all things network” from data flows/protocols to network components to operational processes.
A network security architecture review can start with a pre-planned framework, such as a network architecture audit checklist or a network security architecture review checklist. Likewise, it may or may not involve a highly structured final deliverable like a network architecture review report. Other deliverables may include a gap analysis and/or a mitigation roadmap. But whatever the network architecture review methodology employed, this approach provides critical information on security flaws and vulnerabilities in your underlying network architecture.
How to Determine Your Penetration Testing Scope
Each of the three levels of penetration tests just described (numbers 1, 2, and 3) has its strengths and weaknesses. Which level is right for you? That depends on your goals.
At Pivot Point Security, we fine-tune each pen test engagement to maximize its business value for your specific needs. If you’re unsure which level of pen test is right for you, or if you’re concerned about attestation requirements, we’ll work with you to determine the best choice.
Likewise, our network architecture review methodology (number 4 above) can be fine-tuned to address your organization’s goals around proving security or compliance, identifying security issues and/or helping to prioritize and focus security activities in relation to services, databases, applications, etc.
To talk more about penetration testing and/or a network security architecture review, and how it can help your company achieve its security and compliance goals, contact Pivot Point Security.