How to do penetration testing: A step-by-step guide

What is a penetration test?

A penetration test is a simulated attack conducted by third-party security experts that an organization hires to identify vulnerabilities in their networks, systems, and applications. Using the results of the test, the company can mitigate high-risk findings to reduce the attack surface and risk of a data breach. 

‍

Penetration testing typically involves testing your security controls — such as authentication, authorization, integrity, and confidentiality — against industry standards. A penetration test should also test your application’s business logic and ensure there are no bypasses that could lead to serious issues.

‍

Penetration testing is often required by auditors when working toward security certifications like ISO 27001 or attestations like SOC 2. Penetration tests are also required to comply with privacy-related laws, like HIPAA and PCI DSS.

‍

Why do I need a penetration test?

Your company's internet-facing assets could be getting hit with thousands of malicious connection requests at any given moment — just ask your WAF provider to show you a recent report of blocked IPs attempting to scan your website. Hackers target businesses of all sizes and industries and often see smaller businesses as easier targets given that they are less likely to have strong data security measures in place, which is why it’s important to be prepared no matter the size of your business.

‍

A penetration test is one of the best ways to understand your risks and build a stronger security posture. Here are some ways that penetration tests can benefit your organization: 

‍

{{cta_withimage10="/cta-blocks"}}

Protect your products and customers

An important part of business is earning the trust of your customers, which means you're responsible for protecting your product, your customer’s data, and their identities even if your application is deployed in a cloud-based ecosystem. Customers may ask you to provide evidence of third-party penetration testing as part of their procurement, legal, and security due diligence. 

‍

Avoid penalties

If you're storing any personal data (PII/PHI/PCI) and fail to protect the security and privacy of your customers' data, you could be subject to steep monetary penalties by legal and regulatory authorities. Regular penetration tests can help you avoid fines by discovering misconfigurations, weak encryptions, vulnerabilities, default credentials, and sensitive data that’s been inadvertently exposed by your APIs, applications, and data stores.

‍

Continuous security validation 

Penetration testing can verify if your security tools, such as your WAF or email filters, are working as advertised. It can also identify any changes to your company’s security posture as your business activities, users, employees, partners, and competitors continuously change.

‍

Meet compliance requirements

A penetration test report, or letter of attestation, from a penetration tester is often required by your regulators, insurance companies, and your clients to ensure that you have threat and vulnerability management practices in place.

‍

Achieve and maintain security attestations 

A penetration test is required by SOC 2 and ISO 27001 auditors to confirm the evidence of a mature threat and vulnerability management practice. These standards are designed to verify that your organization maintains high data security. Because of this, an ISO 27001 or a SOC 2 are often required by customers before they can do business with you.

‍

Types of penetration tests

There are varying types of penetration tests depending on your organization’s priorities and the types of risks you want to assess. There are two main focus areas to choose from for your penetration tests: Testing for external attacks or for insider threats.

The focus you choose for your penetration test will impact the type of pen test used. These pen test methods include:

• Blackbox: The penetration tester will not receive any test accounts or authentication to your applications and infrastructure components (databases or servers). This lets them truly simulate an external hack by someone who has no inside knowledge of your system. 
• Whitebox: The tester is given the same credentials and permissions that an employee of your business would have. This lets them test to see what resources an employee would be able to access and affect. 
• Graybox: The tester receives limited knowledge of and access to your system and is asked to try to hack your system using a typical customer account. This shows you what access someone could reach through a customer account.
• Double blind: A blackbox test in which as few internal employees as possible are told about the test. This allows you to see what an external party could get access to and to see how your data security team responds to the attack.

‍

How to perform penetration testing

The stages of a penetration test can vary based on the tester you hire and the type of pen test you choose, however these are the steps that are generally involved:

‍

Step 1: Planning and scoping

Before your tester can launch into your pen test, you need to figure out what you’re testing for. This includes determining what type of penetration test you want (blackbox, graybox, etc.). You can also establish the scope of your pen test by choosing the attack vectors you'd like to test for vulnerabilities:

• Network: You provide a range of IP addresses and active hosts within that range.
• Applications: You provide production URLs and any subdomains to test for web apps or binaries/devices/links for mobile applications or demo/test versions of the applications that mimic production apps and environments.
• APIs: You provide the number of API endpoints and the number of calls.
• Physical: On-site attacks to access physical network devices and wireless access points.
• People: You may or may not provide a list of target emails. Penetration testers can research social media and various open intelligence sources to identify target lists, buy domains that look like yours, and set up servers in the cloud to bypass your email filters and deliver phishing links to your target users and take control of their machines.
• Cloud: Penetration testers will try to exploit cloud-based services, serverless functions, containers, SQL/no-SQL stores, APIs, and consoles to attack your applications.‍
• IOT devices: Any hardware device with an IP address is a target. If these devices are set up with default credentials, they can be an easy target of an attack.‍

‍

Step 2: Gathering intelligence

As your tester begins the penetration test, they’ll start with observation and reconnaissance. They’ll see what they can find out about your system and look for the best ways to gain access to the most data.

‍

Step 3: Scanning

Once the tester has a better understanding of your ecosystem, they’ll use a variety of techniques to see how your system responds. This shows them which attack methods are the most effective for getting in and which ones might be more closely guarded.

‍

Step 4: Gaining access

Now that the tester has scoped out their options and identified the best ways to get into your data, they’ll launch a more structured and aggressive attack to gain access to your system.

‍

Step 5: Remaining in your system

Proper data security is not only about preventing cyberattacks but also about ending cyberattacks quickly. In a penetration test, the tester attempts to maintain their access to your data for as long as possible to see how long it takes your team to remove them.

‍

Step 6: Analysis and reporting

When the pen test has been completed, your tester will prepare a report or meet with you to discuss their findings. They’ll explain what vulnerabilities they were able to exploit, what they were able to access, and offer potential solutions to help you shrink those vulnerabilities.

‍

How long does pen testing take?

The time commitment for this process depends on the type of penetration test you’re pursuing.

If it's a black box test with no authentication, the tester may be able to finish most of the work without much involvement from your team during the testing period.

‍

You may be more involved during a whitebox test. If you have a large, complex network and access provisioning process or if you have a complex procurement and legal contract review process, it may take more time to engage a third-party penetration tester.

‍

For most penetration testing companies, it takes one to four weeks to complete a penetration test depending on the size and scope of the attack vectors. While the test itself may not take much of your time, you should allocate sufficient time to fix vulnerabilities that the penetration test uncovers. Typical remediation cycles can take 90-180 days depending on the availability of your resources.

‍

How often do you need a penetration test?

Most auditors or customers will require that you conduct a third-party penetration test at least once a year, if not twice a year. You should choose a penetration test partner who can accommodate penetration tests at regular intervals for an affordable price. If your penetration test is for SOC 2 compliance, the penetration test must be completed before the end of your SOC 2 observation period in order to be included in your control matrix.

‍

How much does a penetration test cost?

The cost of a penetration test can vary depending on the size of your applications, the number of attack vectors, and the type of test you choose. You will have to go through a scoping exercise to get an accurate quote. It can also depend on the penetration testing company's rate card. Large penetration testing companies and higher rates do not necessarily mean that you get top-quality results and attention. Typically these tests start at $5,000 and can go up to $15,000 depending on the scope and the testing company you choose. 

‍

Is penetration testing required for SOC 2 and ISO 27001?

One of the most common reasons an organization may invest in a penetration test is to meet the compliance requirements of a specific framework, such as SOC 2 or ISO 27001. In this section, we’ll describe the role that penetration testing plays in these standards.

‍

SOC 2

Because of the way the SOC 2 framework is written, it's up to the discretion of your auditor to determine if you meet the SOC 2 requirements. That said, SOC 2 does require you to identify vulnerabilities in your systems so most auditors will require you to do a penetration test as part of the SOC 2 process. Even if your SOC 2 auditor doesn’t require a penetration test, your customers may still require you to perform them.

‍

ISO 27001‍

ISO 27001 requires that you prevent the exploitation of technical vulnerabilities. A common way to do this for ISO 27001 compliance is to pair a penetration test with vulnerability scanning. The vulnerability scan identifies your systems’ vulnerabilities and the pen test tells you how exploitable they are. 

‍

{{cta_withimage6="/cta-blocks"}}

‍

How to choose a penetration testing company

A penetration test is an impactful investment in your data security, so it’s important you choose a pen testing partner that is reliable and will provide you with valuable results. Use these tips to choose the right partner:

1. Look for a CREST accredited partner: CREST is the only international certification authority that audits and approves penetration testing organizations for their methodologies, processes, and data handling practices.
2. Look for testers' certifications: Ask for the profile of the tester, looking for hands-on lab-based certifications like OSCP, CRTP, OSCE, GXPN, GPEN, GWAPT, GAWN, GCIH, GCFA, GMOB, GCIA, GSEC, etc.
3. Get a clear Statement of Work (SOW): The SOW should clearly state what's included and not included in the test and have clear timelines for deliverables. Choose a penetration testing company with an all-inclusive fixed price, given that an hourly rate can add up for all the tasks included in a penetration test. The SOW should include an escalation and remediation process and contacts in case the testing impacts your services.
4. Risk analysis: The penetration testing company should provide a business impact analysis to reflect the reality of the risks your organization faces. They should be flexible to accommodate your risk appetite and decision to accept or not accept risks.
5. Insurance requirements: Make sure they have adequate insurance to cover any professional liability due to penetration testing activities.
6. Report quality: Experienced auditors and risk managers can challenge the validity of a penetration test done by an inexperienced tester. If the tester doesn’t follow industry best practices and methodologies, your report will not support legal liability and forensic cases.

‍

We recommend choosing a penetration testing partner that integrates well with the compliance and security tools your organization uses. This makes it so you can map the findings from your pen test to the compliance framework you're working toward and include them in your existing risk mitigation workflows. 

‍

Vanta is the leading trust management platform with compliance automation and continuous monitoring capabilities — offering frameworks like SOC 2, ISO 27001, GDPR, and more. We partner with Prescient Security, which offers penetration testing, expert security reviews, and security test services. By using an integrated service provider and compliance automation solution, you can simplify and streamline your security. Learn more about our partnership.