What Should You Really Be Penetration Testing?

Pen testing is a valuable investment for any organization – it’s a critical line of defense used to protect and secure your sensitive assets from malicious outsiders. But for organizations that have never undergone pen testing, or for those who have never even heard of penetration testing before, it’s understandable why you would have questions like: What is pen testing? What parts of my organization should be undergoing penetration testing? Who should I hire to perform my pen testing? In this webinar, KirkpatrickPrice’s President, Joseph Kirkpatrick, will answer these questions and more.

What is Penetration Testing?

Penetration testing is a form of permission-based ethical hacking in which a tester attempts to gain access to an organization’s people, systems, or locations. The purpose of pen testing is to find vulnerabilities that could potentially be exploited by a malicious hacker as part of your ongoing risk management practices. However, often times, either out of ignorance or deceit, we see firms pass off vulnerability scans as penetration testing. Let’s be clear: vulnerability scans are not penetration tests. Vulnerability scans are great for discovering low-hanging fruit, but they should not be confused with an advanced, manual penetration test. Vulnerability scanners are only capable of matching patterns and definitions and are unable to find flaws that require human logic and comprehension. This is why investing in penetration testing, in conjunction with running vulnerability scans, is necessary.

What Should You Be Penetration Testing?

In order to know what your organization needs to pen test, you need to identify which assets in your organization are susceptible to cyberattacks and the financial, reputational, and legal implications if those assets were to be compromised. Assets that your organization should consider pen testing might include:

  • Call Center
  • People
  • Records Facility
  • Internet of Things
  • Corporate Office
  • Data Center
  • Wireless Connections
  • Externally Facing Applications
  • Internally Facing Applications
  • Mobile Applications
  • Computers

Ultimately, your organization should be penetration testing any asset that you want to make stronger. If you’re ready to embark on your pen testing journey, download the full webinar to learn more or contact us today to speak to an Information Security Specialist.

Components of a Quality Penetration Test

How do you ensure you’ve identified security vulnerabilities before a hacker has? In today’s threat landscape, it’s crucial for organizations to take cybersecurity seriously and create a prevention strategy. We know that organizations today face extremely threatening cybersecurity risks. We know you need validation of your security methods. We know you need someone to uncover the risks and security vulnerabilities that you don’t know about. That’s why we offer quality penetration testing. But what does that even mean?

We want to provide you with a few ways to identify whether or not you’re receiving quality penetration testing. This will help you build a strong security testing methodology, help you meet your compliance objectives, and protect your organization from malicious attacks.

How to Identify Quality Penetration Testing

  • Does KirkpatrickPrice outsource penetration testing services? No. When you partner with penetration testers from KirkpatrickPrice, you work with a dedicated, highly knowledgeable team located in the United States. Our penetration testers aren’t rushing through projects and clients, and they are available for project planning and educating your team.
  • Do we have a team of qualified, professional penetration testers? Yes. Quality penetration testing needs to be performed by a skilled professional or group of professionals who can analyze the results of security testing activities and use those results to inform future activities. Our team of highly skilled and certified penetration testers have diverse backgrounds, extensive experiences, and hold GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), GIAC Exploit Researchers and Advanced Penetration Tester (GXPN), and GIAC Certified Intrusion Analyst (GCIA) certifications, among others.
  • Will KirkpatrickPrice ever try to pass off a vulnerability scan as a penetration test? No. We’ve witnessed many testing firms that, either through ignorance or deceit, mislead their customers by identifying their vulnerability scanning services as penetration testing. Many of these firms deliver scan reports to their customers labeled as a penetration test report with little more than an edited title and their firms logo added to the document. Some will attempt to hide this approach by taking the vulnerability scan results and placing them into a custom reporting template without performing any additional testing that would support labeling the service as penetration testing. Despite numerous resources calling out this practice, it continues to be a common source of confusion for customers.
  • Do our penetration testers find security vulnerabilities that an internal penetration tester would not? Yes. There is a unique value to having an independent, third-party perform penetration testing services for your organization because the internal blinders have been removed. Personnel often can’t or don’t want to see the security vulnerabilities that an experienced auditor does. With today’s cybersecurity risks, you can’t be too careful when it comes to security vulnerabilities. Ask yourself: what could a certified, professional penetration tester find that we wouldn’t?
  • Have our penetration testers found security vulnerabilities that previous penetration testers did not? Yes. In one testing situation, we found thousands of accounts that were being maliciously used in a payment portal. Did the previous penetration tester find this? No – this security vulnerability was completely missed.
  • Are KirkpatrickPrice penetration testers dedicated to educating you on the implications of your security vulnerabilities? Yes. Our penetration testers are passionate about empowering your organization to greater levels of assurance, and they do that through analyzing the findings of your penetration tests, communicating the consequences, and recommending remediation tactics.
  • Do we use both automated and manual testing methods in our penetration testing services? Yes. One of the major differences between vulnerability scanning and penetration testing is automated versus manual processes. Beyond the initial scan configuration process, a vulnerability assessment does not require a significant amount of human interaction. Quality penetration testing should include manual testing methods, particularly performed by a professional. If the penetration testing services you receive are a highly automated process with minimal human effort, you might not be receiving quality penetration testing.
  • Do we give post-exploitation direction? Yes. A key aspect of quality penetration testing is using the findings. Your organization should risk rank the vulnerability findings you receive, analyze the potential impact of vulnerabilities found, and determine remediation strategies. KirkpatrickPrice penetration testers will partner with you to ensure you have proper post-exploitation direction.

What would it cost you if your top client was not satisfied with the quality of your penetration test? If you did not undergo a penetration test, what security vulnerabilities would you not know about? How would it impact your job if you did not receive quality penetration testing? In a day and age when security controls must be strong and effective against advanced threats, we’ve made it our mission to deliver quality services – and that includes penetration testing services.

Want to learn more about our penetration testing services? Contact us today.

More Penetration Testing Resources

Auditor Insights: Vulnerability Assessments vs. Penetration Testing

Ask the Expert: Penetration Testing

5 Benefits of Regular Penetration Tests

Rebuilding Trust After a Data Breach

American Perspective on Data Breaches

According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. Even more so, 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. Why am I being shown this ad? How much does Facebook know about me? Has my data been sold? Is Google tracking me?

At KirkpatrickPrice, we talk a lot about how to prevent a data breach and put a heavy focus on the “before,” rather than the “after.” But, what happens after a data breach has occurred? How can your business recover? Let’s take a look at three advertising campaigns that aim to rebuild trust after a breach.

Facebook Data Scandal

With GDPR enforcement on the rise and data privacy at the top of digital consumers’ minds, the Facebook-Cambridge Analytica data breach has become one of the largest of all time. Out of the 2.2 billion Facebook users, 78 million were impacted by this breach. The data was used to build a software program that predicts, profiles, and influences voter choices. Now that Facebook’s data privacy practices are in the spotlight, more and more questionable practices are rising up.

The scandal is still unfolding, as Mark Zuckerberg is questioned by Congress and the GDPR enforcement date has officially passed. In an effort to win back user trust, Facebook launched a major advertising campaign, “Here Together,” which promises to protect users from spam, click bait, fake news, and data misuse.

How has the Facebook scandal impacted your use of the platform?

Uber Cover-Up

When Uber announced its breach in 2017, it hit close to home for the millions of drivers and riders who use the app every day. Uber reported that not only did hackers steal 57 million credentials (phone numbers, email addresses, names, and driver’s license numbers) from a third-party cloud-based service, but Uber also kept the data breach secret for more than a year after paying a $100,000 ransom.

The New York Times points out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.” Uber recognizes that driver and rider trust is the core of their business, and when they announced this cover-up and breach, they knew they’d be facing major backlash.

In response to the breach, Uber began their “Moving Forward” campaign in an effort to rebuild trust. What do you think of this commercial – have they regained your trust? Would you still use the app?

Wells Fargo Incentives

The 2016 Wells Fargo breach was incredibly eye-opening to many consumers because it wasn’t a malicious hacker taking data; it was Wells Fargo. The bank was fined $185 million because of the 5,300 bank employees who created over 1.5 million unauthorized bank and credit card accounts on behalf of unsuspecting customers. Their reason for doing this was incentives; bank employees were rewarded for opening new bank and credit card accounts.

What is Wells Fargo doing now? In an effort to rebuild trust, Wells Fargo completely restructured its incentive plans by ending sales goals for branch bankers. Do you think that firing the 5,300 guilty bank employees and restructuring their incentive program is enough?

We believe that client trust is one of the most valuable benefits of compliance. Undergoing information security audits can help your organization maintain customers and attract new ones, distinguish your business from the rest, avoid fines for non-compliance, and answer to any sort of regulatory body.

How do you perceive this trend of public rebranding – is it convincing? Do you believe that companies like Facebook, Uber, and Wells Fargo have changed enough to rebuild trust?

More Resources

Turning Audit Into Enablement

Incident Response Planning: 6 Steps to Prepare your Organization

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

Auditor Insights: Vulnerability Assessments vs. Penetration Testing

Confusion About Vulnerability Assessments and Penetration Testing

In my current role, I work with clients who are attempting to meet security and compliance objectives through penetration tests, vulnerability assessments, and other information security-related exercises. What I’ve seen time and time again is organizations who are confused about the difference between vulnerability assessments and penetration testing. I’m passionate about educating our clients on security exercises and determining what practices they need to implement in their information security program.

What’s the Difference Between Vulnerability Assessments and Penetration Testing?The most common source of confusion on the difference between vulnerability assessments and penetration testing rests in the hands of testing firms that, either through ignorance or deceit, mislead their customers by identifying their vulnerability scanning service offerings as penetration testing. Many of these firms submit scan reports to their customers labeled as a penetration test report with little more than an edited title and their firms logo added to the document. Some will attempt to hide this approach by taking the vulnerability scan results and placing them into a custom reporting template without performing any additional testing that would support labeling the service as penetration testing. Despite numerous resources calling out this practice, it continues to be a common source of confusion.

Another very common source of confusion stems from individuals and organizations failing to properly educate themselves on the difference between vulnerability assessments and penetration testing. This is particularly true of those that attempt to manage vulnerability assessment and penetration testing services internally with untrained and/or inexperienced resources. Many times, vulnerability scanning will be erroneously referred to as ‘penetration scanning,’ suggesting that there is some level of penetration testing taking place. Others believe that by purchasing automated tools with added functionality, such as built-in password attacks and exploitation processes, they have covered the testing requirements for penetration testing.

What’s the Difference Between Vulnerability Assessments and Penetration Testing?

A vulnerability assessment is an approach for identifying and rating issues affecting in-scope systems in a given environment. Elements of vulnerability assessments include the following:

  • Vulnerability assessments are a highly automated process; beyond the initial scan configuration process, a vulnerability assessment does not require a significant amount of human interaction.
  • Vulnerability assessments are designed to highlight issues on a wide range of systems at regular intervals to allow timely identification and resolution of vulnerabilities and common misconfigurations.
  • Vulnerability assessments are typically performed on a quarterly basis.
  • Results from vulnerability assessments can be included within a larger vulnerability management program in order to identify, analyze, risk-rank, and track various metrics over time.
  • Vulnerability assessment tools work by leveraging a large set of pre-defined checks that are designed to mimic common attacks that might affect the target systems. These checks, which cover a wide variety of ports, protocols, and services, are sent to the target system and the resulting response is analyzed to determine if it matches a known vulnerable state.
  • The exact mechanism used for each request and the analysis of the response is highly dependent on the nature of the issue and can take many forms.
  • Although not a requirement during penetration testing, the results returned from vulnerability scanning can be a valuable resource for highlighting a large number of issues in a short period of time. Examples of this include identifying missing patches, vulnerable software packages, and other issues that can be easily identified by automated means. These scan results are particularly useful for identifying softer targets before moving on to more time consuming manual testing processes.

A penetration test is a process for identifying and exploiting vulnerabilities and common misconfigurations affecting targeted systems. Elements of penetration testing include the following:

  • This process is typically goal focused (e.g. attempting to gain access to an otherwise fully segmented PCI CDE environment).
  • Penetration testing is designed to demonstrate the risk to the target environment, should discovered vulnerabilities be exploited.
  • Penetration testing leverages both automated and manual testing techniques.
  • The frequency of penetration testing depends on the sensitivity of the systems and data in the target environment and can range from a single annual test to quarterly or more frequent execution.
  • Penetration testing involves a skilled professional or group of professionals analyzing the results of testing activities and using those results to inform future activities.
  • The penetration testing process allows for a more comprehensive assessment of the overall security of the target environment by including things such as password attacks, phishing, man-in-the-middle attacks, and other testing activities that are not typically performed during a vulnerability assessment.
  • Penetration testing also includes post-exploitation activity that can drive home the significance of identified and exploited issues by demonstrating ways that an attacker can leverage the level of access gained to obtain sensitive information or further compromise the environment.

Understanding the difference between vulnerability assessments and penetration testing will help you make informed decisions about these important and distinct pieces of your overall information security program, which are required by a number of regulations and compliance frameworks. When properly scoped and executed at regular intervals, these activities provide ongoing feedback that can be used to strengthen system hardening practices, patch management, device configuration management, and more. This results in a more secure environment that is better suited to protecting sensitive data owned by, or entrusted to, your organization.

About Sean Rosado

Sean Rosado of KirkpatrickPriceSean Rosado leads the Penetration Testing team at KirkpatrickPrice. In his role, he and his team are responsible for delivering projects for organizations who are attempting to meet security and compliance goals through penetration testing, vulnerability assessments and other information security-related exercises. Before joining KirkpatrickPrice, Sean performed Computer Network Defense (CND) operations for the United States Department of Defense. Sean holds GXPN, GPEN, GWAPT, GCIA, and PCIP certifications.

More Penetration Testing and Vulnerability Assessment Resources

Ask the Expert: Penetration Testing

Penetration Testing for Beginners

5 Benefits of Regular Penetration Tests

Ask the Expert: Penetration Testing

Penetration Testing for HIPAA Compliance

Penetration testing is a critical line of defense when protecting your organization’s sensitive assets – especially Electronic Protected Health Information (ePHI). Penetration testing is the process of performing authorized security testing of an environment to identify and exploit weaknesses associated with the targeted systems, networks, and applications before those weaknesses can be exploited by a real attacker. When performed in support of HIPAA compliance, the goal is to identify issues that could result in unauthorized access to ePHI.

In this webinar, KirkpatrickPrice’s Lead Penetration Tester answers your questions about penetration testing, including:

  • What is the difference between penetration testing and vulnerability scanning?
  • Should penetration testing include a human element or can it be done using tools alone?
  • Do I have to hire a third party to perform penetration testing?
  • How often should I have penetration testing done when preparing for a HIPAA assessment?
  • Should I retest after remediation?  Should that be included from the firm I work with?
  • How do I know which level of penetration testing is right for me?  What are the options?
  • How do you choose targets in large IP address spaces?
  • What is the difference between web application penetration testing and network penetration testing?
  • Does penetration testing include API testing?
  • How do you balance applying automated tools to the target vs something manual to the target, like someone at a laptop?
  • As the IT landscape continuously grows, how do you ensure that you get the correct skills on a penetration test, since no one knows everything?
  • How does KirkpatrickPrice price penetration testing engagements?

More Penetration Testing for HIPAA Compliance Resources HIPAA Security Rule for Professionals

164.308(a)(8) Standard: Evaluation

NIST SP800-66 – (HIPAA Implementation Guidance)

National Institute of Standards and Technology (NIST) SP800-115

Open Source Security Testing Methodology Manual (OSSTMM)

Open Web Application Security Project (OWASP)

Penetration Testing Execution Standard (PTES)

Penetration Testing Framework