There are basically three levels of network penetration testing:
1) Security Assessment (Validation)
This level of testing is vulnerability-centric. Heavily utilizing automated toolsets, the test starts with a vulnerability assessment and is followed by a manual review of any findings to eliminate “false positives.” These automated scans take up to several hours, and can search for tens of thousands of known vulnerabilities. This introductory level of penetration test offers a report focused on vulnerabilities in your network security posture.
2) CREST-Aligned Penetration Test
This level of test assesses the security of your network infrastructure by simulating an attack from malicious outsiders and/or insiders to identify attack vectors, vulnerabilities and control weaknesses. Penetration testing involves primarily manual testing techniques that are supported by automation and attempts to exploit discovered vulnerabilities. This often includes open source intelligence gathering (OSINT) by passive, semi-passive and/or active means, exposed applications (unauthenticated), and potentially social engineering (people) attack vectors as well.
Overall, the scope of a penetration test engagement is significantly larger than automated scanning alone. Its goal is to evaluate your network security posture and risk profile as seen by an intentioned attacker during the time available (typically a week or more). This level of penetration test meets or exceeds the minimum requirements for PCI-DSS, FedRAMP, CREST, and other regulations. Reporting follows a narrative style to allow you to “see” how the attacker thinks.
3) Red Team Engagement
Organizations with mature security programs with professional staff dedicated to defending against cyberattacks can take part in “red team” engagements, where the penetration testers (ethical hackers) play offense and the security staff play defense. This dynamic, highly targeted form of penetration testing leverages “real-world” attack scenarios designed to test your detection and response capabilities. A red team engagement isn’t about pinpointing your vulnerabilities—it’s about gaining access by any means available to the sensitive data you’re trying to protect and your ability to detect and defend the attack.
How to Determine Your Penetration Testing Scope
Each of these three levels of penetration tests has its strengths and weaknesses. Which level is right for you? That depends on your goals.
At Pivot Point Security, we fine-tune each pen test engagement to maximize its business value for your specific needs. If you’re unsure which level of pen test is right for you, or if you’re concerned about attestation requirements, we’ll work with you to determine the best choice.
To talk more about penetration testing and how it can help your company achieve its security and compliance goals, contact Pivot Point Security.
Without good Asset, Patch & Vulnerability management in place, a network penetration test could be a big waste of time and money.