Information security risks and security testing need to be critical components of all businesses. There are many ways to improve your information security, and there are also many security testing options for organizations. A penetration test is one of those methods for security testing organizations may choose to employ.
What is penetration testing?
Penetration testing is a real-world examination of how secure your systems, infrastructure, and buildings are. Effectively, it’s a simulated attack on your organization. By attempting to gain access to your organization and its systems, pen tests uncover exploitable vulnerabilities, ultimately helping you get a better understanding of where your security risks are—and where improvements can and should be made.
But it’s not always immediately advantageous to get a pen test.
Why do we need a pen test?
There are many reasons why an organization could want or need a penetration test.
- You may have an industry or regulatory requirement.
- Healthcare and banking organizations are required to do an annual pen test. You need one to maintain SOC2/ISO 27001 certification. CMMC L3 requires a pen test. And certain PCI obligations also require pen tests.
- You’d much rather have someone on your side find the hole than one of the malware groups.
- Internally, you get to find problems you may not have had any idea about.
- Passwords stored in clear text, default credentials on devices, and how a threat actor could move around in your environment are all pertinent examples.
- Externally, a pen test lets you truly understand your exposure.
- Yes, vulnerability scans are important, but they really only tell part of the story.
How do you determine if a pen test is the right security test for you?
When should I get a penetration test?
Think of it this way: if you wanted to find out how effective the security system of your house was, you could hire someone to attempt to burglarize you and your home.
That’s essentially what a pen test does.
The attempted break-in would be a lot like what an ethical hacker would attempt to do. Can we get in and what can we do when we get there?
If you don’t have a home security system in place yet, the staged break-in would be too easy. Without the installation of security controls like locks, an alarm, cameras, etc.—and an inspection to ensure they’re properly installed—testing if someone can break in would be pointless.
The same is true with a penetration test. If you’ve never had a proper security assessment done on your organization and security practices (or if you don’t have security practices in place at all), finding out how vulnerable they are is both premature and a waste of your time and money.
For this reason, we recommend that an organization has a security risk assessment and vulnerability scanning done (at minimum) before they seek a pen test.
What is the difference between penetration testing and vulnerability testing?
Understanding if a penetration test is right for you often starts with understanding the differences between a vulnerability test and a pen test.
These two tests are often confused.
The most important distinction is the goal of each service. Vulnerability tests widespread sweeps for security weaknesses in your organization’s infrastructure. These scans, typically using automated tools, identify potential exposures and focus more on the controls you have in place that prevent cyber attacks.
A penetration test on the other hand is meant to exploit those weaknesses. The ethical hackers who conduct these tests attempt to gain unauthorized access to your systems and assets. Ultimately, they help organizations test their reactive controls and their attack detection capabilities more than the preventative ones.
You can see where a penetration test might be better suited for an organization that has a more mature security program as mentioned above.
If you still think a pen test is the right step for your organization, there are some things you should look for in a provider.
What Should I Look For in Testing Services?
There are three things you should consider before selecting someone (or an organization) to conduct the pen test for you:
Pen Test Methodology
Is the tester just going to wing it or is there a process rooted in an industry standard? A lack of documented, repeatable methods is a sign that you’re working with sub-par pen testers.
Consider vetting which penetration testing tools they use. Ensure they are up-to-date on current hacking trends and exploitable vulnerabilities, and that they start their testing with any security weaknesses related to those.
Solid Reporting
Don’t settle for someone who’s only going to point out problems. Expect (again, at a minimum) an executive summary, a full report with the attack surface and attack narrative, and appropriate, doable recommendations rooted in reality.
A Real Penetration Tester
Insist on talking to your pen tester and/or security team. It’s important to vet their background and experience.
At FRSecure we have an entire team dedicated to pen testing for clients all year round. Our team has OSCP training as well as numerous competition awards (like Defcon CTF and Wild West Hacking Fest). If you’re going to have one of these tests done, find ethical hacking professionals who have similar experience and accolades, so you know you’re not just getting some “script kiddie.”
How much does a penetration test cost?
At FRSecure, we believe in telling the truth (it’s actually our number one core value as a company). After searching for the cost of a network penetration test on my favorite search engine, few people ACTUALLY attempted to answer the question. Most just said, “it depends.”
Well, buckle up, because
Let’s do this by organization size.
External Network Penetration Test Pricing
External testing attacks network devices from the internet.
- $5,000 – $10,000 for small to medium-sized businesses with fewer than 25 active, public-facing IPs.
- $10,000 – $15,000 for upper mid-market companies with 25-50 active, public-facing IPs.
- $20,000+ for large companies with more than 50 active, public-facing IPs.
Internal Network Penetration Test Pricing
Internal testing attacks network infrastructure from inside your network.
- $16,000 – $22,000 for small to medium-sized businesses with <500 network devices.
- $23,000 – $34,000 for upper mid-market companies with 501-3,000 network nodes.
- $35,000+ for large companies with thousands of network nodes.
If your penetration test is pursuant to PCI compliance, an additional $3k – $10k is typically added—depending on scope. There’s simply more paperwork and a level of tedium to get it right.
Of course, I’m obligated to say that every network is different and that you should get a customized quote. Get a few. Make sure they are apples-to-apples comparisons—and that they actually meet your network security objectives.
For more information on penetration testing, social engineering, vulnerability scans, and other technical security services, and to find out how to schedule one for your organization, visit frsecure.com.
Thank you for explaining that with a penetration test, you should expect at least an executive summary and not just someone that will point out problems. I can imagine that if I owned a business, that I would want to be sure that my information as well as the information of my clients to be secure. I will be sure to remember this if I ever have a concern with the security of technology in any setting and recommend a penetration test.