Cybersecurity Issues for Businesses in 2020

Penetration Testing: Approach, Methodology, Types of Tests and Rates

The current trend is to strengthen the security requirements for customers, partners and investors. Security audits have been democratised to small and medium-sized companies, for whom they represent a prerequisite to be able to collaborate on IT issues with large companies. In fact, large accounts almost systematically integrate requests for security audit reports into their purchasing processes. The introduction of the GDPR 2 years ago also enabled companies to become aware of data security issues in business sectors where risk awareness was previously low. Security certifications (ISO 27001, HDS, PCI-DSS, SOC2, etc.) are increasingly popular among small and medium-sized companies, as a way of differentiating themselves and making security a quality issue.

There are various types of security audits, mainly: organisational audits, technical audits, and penetration testing. These different types of audits can be carried out on a more or less wide scope, depending on whether the company wishes to evaluate its entire information system or only certain areas identified as priorities. In this article, we focus on penetration testing (pentest).

What is a Penetration Test?

A penetration test consists in testing the security of an information system by carrying out attacks in order to identify system vulnerabilities and to recommend security corrections.

Penetration testing and vulnerability testing differ in their objectives. Vulnerability testing relies on automatic scanners to quickly identify the most common vulnerabilities. Penetration testing goes further. In particular, it includes the search for logical flaws, which cannot be detected by automatic tools, and a phase of manual exploitation of the identified vulnerabilities. It is a more comprehensive and proven security audit method, which enables to measure the real impact of any type of flaw. 

A penetration test can include black box, grey box or white box tests. Black-box tests target the attack surface available to any external attacker, while grey-box tests target areas accessible only to customers, partners or employees of an organisation. As for the white box audit, it allows to analyze the security level by having the same level of access as a system administrator (server, application…).

The deliverable handed out following a penetration test is a security audit report that presents the identified vulnerabilities, classified by criticality level, as well as technical suggestions for remediation. In addition to the report, a non-technical summary can also be delivered, for presentation to the management committee or partners.

Penetration Test Methodology

A penetration test is based on a four-phase methodology, which is a cyclic process: Recon, Mapping, Discovery, Exploitation.

Recon

The recon phase consists in searching for open-source information on the target of the security audit. All information potentially useful for an attacker is collected, for example: IP addresses, domain and sub-domain names, types and versions of technologies used, technical information shared on forums or social networks, data leaks…

Mapping

The mapping phase allows listing all functionalities of the audit target. This step enables pentesters to have a better visibility on the most critical and exposed elements. This step is particularly essential when the objective of the security audit is to conduct tests on all the functionalities of a target.

Discovery

The discovery phase is an attack phase: pentesters look for vulnerabilities through manual searches complemented by automated tools. The objective is to discover as many vulnerabilities as possible on the target.

Exploitation

The exploitation phase consists in testing possible exploitations of the flaws identified in the previous phase. This step allows using certain flaws as “pivots”, in order to discover new vulnerabilities. The exploitation of security vulnerabilities allows evaluating their real impact and thus their criticality level.

Types of Tests

Web Platform

Tests conducted on Web platforms enable to search for vulnerabilities related to Web server configuration and to the application layer.

Server-side issues include open and insecure services, not updated software, or configuration errors.

For applications, it involves vulnerabilities listed by OWASP (including the Top 10), as well as logical vulnerabilities related to workflow implementation, and those related to new discoveries about the technologies used by developers.

Mobile Applications

Tests performed on mobile applications (excluding mobile APIs and servers) include static and dynamic analysis of the applications.

Static analysis consists in extracting elements (meta-information and source code) to perform reverse engineering operations.

Dynamic analysis consists in looking for vulnerabilities in the application while it is running on a device (runtime), for example to bypass controls or extract data from the RAM.

Common vulnerabilities in mobile applications are listed by OWASP (including the Mobile Top 10).

Connected Devices – IoT

Tests on connected devices search for security flaws in the object’s entire ecosystem: hardware, embedded software, communication protocols, servers, Web and mobile applications.

Tests on hardware, firmware and communication protocols are specific to the object itself, e.g. data dump via electronic components, firmware analysis, signal capture and analysis…

Infrastructure and Network

Tests performed on an external infrastructure consist in scanning the company’s public IPs as well as the services exposed online, in order to identify flaws related to service configuration and operating system architecture.

Tests on an internal corporate network involves mapping the network to look for vulnerabilities on workstations, servers, routers, proxies and other network devices.

Social Engineering

Testing the “human factor” of the company enables to assess the reflexes of a company’s staff when facing phishing attempts, telephone attacks and physical intrusion.

Techniques used are for example sending phishing and spear phishing emails, using clones of interfaces and malware, collecting sensitive information through phone calls, and malicious USB devices.

What’s the Result of a Penetration Test?

Security Measures and Best Practices to Implement

The final aim of the penetration test is to provide concrete recommendations to improve the security level of the target.

The next step is therefore to take these recommendations into account in order to correct the most critical vulnerabilities as much as possible. Some fixes can also be integrated into functional and technical development projects or implemented on other systems with similarities with the target of the pentest.

A penetration test also makes it possible to change certain practices, to implement new processes strengthening security and to improve the company’s level of awareness regarding risks.

Complementary Analysis

Following a penetration test, it can be recommended to conduct additional analyses, for example:

  • More in-depth penetration tests, or on portions of the target not included in the scope of the previous test;
  • White box audits, to take the security analysis a step further

Depending on the vulnerabilities identified, security analyses can be completed by security training for technical and/or non-technical teams.

Frequency of Penetration Testing

Penetrating testing provides an assessment of the security level of a target at a given time T. Then comes the questions of frequency: how often this type of tests should be repeated?

This depends on the level of risk to which the company is exposed, the regulatory and commercial stakes around the target, how exhaustive was the previous penetration test, the frequency of technical and functional evolution of the target… In some cases, the choice will be one pentest per month, in other cases it will be one pentest per year.

Strategy examples for software publishers and start-ups:

For a mid-sized software editor with high security requirements from its customers and whose product requires a high number of pentest days:

  • 2 pentests per year on the product, with a different functional scope from one session to the other,
  • 1 social engineering pentest every year,
  • 1 external infrastructure pentest every two years,
  • 1 internal network pentest every two years.

For a FinTech start-up, PCI-DSS certified, with high security requirements:

  • 1 pentest per quarter, with a different functional scope from one session to the other,
  • Security training for developers.

For a SME willing to prevent the main security risks:

  • 1 pentest of its information system (external and internal) every two years,
  • Training for people in charge of security issues.

What is the Cost of Penetration Testing?

A penetration test generally costs between 3k€ and 20k€, depending on the scope and conditions of the audit.

Examples of price packages:

20 to 25k€ for a security audit including a pentest of the external information system, of the internal network and social engineering tests.

10 to 15k€ for a security audit including 3 or 4 pentest sessions on a software following the release of new features.

5 to 10k€ for an in-depth pentest on a business software, a company network or a connected device.

1.5 to 5k€ for a first pentest focusing on the main risks for the company.