Penetration Testing FAQs
Penetration Testing FAQs
What is Penetration Testing or ethical hacking?
Penetration Testing (aka ethical hacking) is a test of your system’s security posture. It provides a measure of how effective your cumulative security treatment is. It is typically used to answer the fundamental question “Are we secure?” or as a means to prove to a third party (usually your client) that you are secure. Penetration Testing can be focused on one or more areas including network/systems, applications, people (social engineering), or facilities (physical penetration).
Why do we need Penetration Testing?
Your company could use Penetration Testing to:
- Confirm that your environment is as secure as you believe
- Prove to a third party that an environment is secure and trustworthy
- Quickly assess the security of a less mature control environment (in a sense, a technical risk assessment)
- After a major change (e.g., the installation of a high risk system/application) to ensure that the security controls are operating as intended
What’s the Pivot Point approach to Penetration Testing?
Pivot Point Security approaches all our Penetration Testing engagements with differing approaches based on the type of test and the client’s specific objectives. This includes our perspective (e.g., Black Hat versus White Hat), modalities (e.g., credentialed versus un-credentialed, or both), primary driver (e.g., attestation focused versus risk focused), objective (e.g., capture the flag), and rules of engagement (e.g., what techniques are/are not allowed such as pivoting or social engineering).
What is a Penetration Testing tool?
Common Penetration Testing tools include vulnerability scanners (e.g., Nessus, Qualys, NTO Spider), Automated Exploit Engines (e.g., Metasploit Professional, Canvas), and Password Crackers (e.g., John the Ripper), sniffers/proxies/tamper tools (e.g., BurpSuite, Cain & Abel). Testers often carry dozens of tools and will elect which tools to use based upon the type of test and the specific technologies that you are running.
How does Penetration Testing work?
Generally most Penetration Tests have two distinct phases. In the first “reconnaissance” phase the tester gathers as much information as possible to achieve the objectives of the engagement. This is often done using a vulnerability assessment tool. This phase can be helpful in discovering how vulnerable your system is. In the second “exploit” phase the tester will leverage vulnerabilities identified during the “reconnaissance” phase. This phase gives you a measure of how likely it is that your vulnerabilities can be exploited and if so, what the impact is to your organization.
How long does Penetration Testing take?
Simple penetration tests in a smaller company may last a day or less. Larger tests for a global enterprise could extend over multiple weeks.
Will Penetration Testing shut down our office?
Penetration Testing, when done properly, is unlikely to cause serious disruptions in your business. However, it is impossible for any reputable Penetration Testing company to guarantee a test completely free of disruption. We do not use Denial of Service testing, un-tested tools, or un-validated exploit code. In 12 years, less than 5% of our tests have caused minor disruptions, such as a short period of slowed network traffic. Pivot Point Security prides itself on keeping your business up and running.
Will Penetration Testing involve our employees?
Pivot Point Security only involves your employees if your objectives include testing incident detection (e.g., we are assessing whether your Security Operation Center is paying attention) or if you want your team to work collaboratively with our test team to learn about Penetration Testing.