When cheaper is not better: a quick guide to penetration tests

An IT administrator recently vented his frustration about having to conduct a penetration test.

He wanted an in-depth assessment of his system to make sure his network was operating with a low risk profile, all while still making all the required services available to his users.  

His firm has cloud services, several sensitive databases, internal and external networks, not to mention multiple operating systems (the designers “demanded” Apple products).

The idea was to contact a few reputable penetration experts and see what they recommended.

“I contacted three firms, and each came back different propositions. One of them thought a penetration test was just running a few auto scans that spit out an auto report. I’m guessing I’m the one who will have to sort through the findings? And then they guaranteed it would be a cheaper option.” 

“I told them that I don’t want cheap. I want an expert to help me reduce my attack surface!” 

There has certainly been an up-shift in the demand for penetration testing over the last decade. It’s perhaps not surprising, considering the many regulatory bodies and cybersecurity experts recommending (and sometimes demanding) regularly penetration tests on systems.

And with demand being up, we see new service providers enter the market, and while the services on use the same terminology, the quality and price of service vary wildly.

If you are interested in assessing or reducing your attack surface, penetration tests are certainly an important component of your IT security policy.

Here is some key information to assist you in your search for a penetration test that is right for you.

Vulnerability scans VS. penetration tests

Vulnerability scans and penetration tests are different, though the terms are used interchangeably by some newcomers.

A vulnerability scan is largely automated process that scans your systems for thousands of vulnerabilities that may be weakening your defenses.  You get a list of the vulnerabilities that were found on the system and some scanning solutions will also provide remediation steps.

A penetration test may use vulnerability scans as part of its toolkit, but it also includes trained experts whose job it is to try to gain unauthorized access to your network, beelining to the sensitive data or files by bypassing existing security defenses. The idea is to mimic an attack agent, so that defenses can be properly hardened if found to be exploitable in a real scenario.

Some penetration tests might make use of social engineering tactics to get login details from employees, making use of corporate Wi-Fi to access unauthorized accounts, as well as taking advantage of vulnerabilities lurking on the system.

White, black and gray hat penetration testing

White hat testing is where the penetration testers are given a lot of information about the environment they will be testing. This allows tests to be tailored to specific problem areas. It often allows for less disruptive remediation because the testers have a clear understanding of the business objectives, policies, services and processes. While resources are required to get familiar with the systems, the testing can be more efficient.

Black hat testing is where little to no background information is provided to the penetration testing team. They act as true attack agents targeting a system and starting off effectively blind. The task is to find a route into unauthorized and/or sensitive locations on the system.

Proper black hat testing is difficult to budget ahead of time unless you provide a time limit on the testing, with the understanding that the testers might not have been able to discover weaknesses within the allocated time frame. While no resources are spent getting to know your system prior to the testing, tests take longer as the testers are learning about the environment as they test.

Grey hat testing is literally between the two. Here testers are provided with some, but not all, information prior to testing.

Be wary of out-of-the-box, fixed-priced penetration testing

Penetration testing as a commodity – a one-size-fits-all concept, is ridiculous. It is the same as saying we will secure your estate for a flat fee, no matter the size, location, the number of properties, number of entry points.

Here are the main areas that will impact the cost:

  • Onsite or offsite: some penetration tests require the tester to be onsite, such as social engineering or physical security penetration tests. Complex networks may also require a visit to accurately understand and test the organization’s digital defenses.
  • Requirements: What do you want to test? What are the areas that you are most concerned about? The broader the scope and  the more in-depth and bespoke the tests impacts the amount resources needed.
  • Remediation: Do you want review and implement the report findings, or do you want remediation advice from the penetration testing team? A good experienced team can quickly prioritize the findings and come up with efficient solutions to vulnerable areas on your system.
  • Complexity: the tasks vary widely in scope depending on the number of users, the environment, network devices. The more web apps your have, for example, the most penetration testing time will be required.
  • Experience: More experienced and expert penetration testers tend to cost more. If strategic counsel from your penetration team would be valuable, you need a team with business acumen and real-world experience – a newly accredited graduate might not fit the bill.

TBG Security for quality penetration testing

TBG Security provides quality penetration tests and risk assessments tailored to a firm’s needs. Whether you are a governing body, a financial institution, an insurer, a legal or accountancy firm, or a online provider, we can help.  We are not the cheapest out there, but we are among the best. 

Get in touch. We cam chat about your needs and help you figure out the best approach for you.

Read more about TBG Security penetration tests:

Previous ArticleHow to hire a good CISO: a short – but informative – guide Next ArticleTips for getting your IT security budget approved