Penetration TestingA penetration test, also known as a pen test, is an authorized simulated attack on computer systems, devices, and networks to determine if an attacker can reach a target objective defined by the customer and the pen testing company. A pen test differs from a security assessment or security scan because it includes exploitation of vulnerabilities, as opposed to only finding them.
2nd Sight Lab has internal resources and external partners for all types of pen tests, but specializes in AWS and Web Application Pen Tests.
Scope of Penetration TestsA penetration test for compliance purposes (e.g., PCI, HIPAA) may be limited to what is required to obtain compliance. Recent breaches of compliant organizations demonstrate that compliance does not equal security. A penetration test for security purposes will be broader in scope and will test more security scenarios aligned with top threats in the industry versus only what is covered in a compliance audit. In some cases, a penetration test will be limited to testing for compliance, a specific application, or a new product. The customer defines the scope of the engagement, target systems, and what types of activities are allowed and disallowed. When any third-party systems are involved, the customer must contact the third-party and obtain permission. 2nd Sight Lab can help, but is not responsible for identifying these systems or obtaining this permission.
Length of Time for Penetration TestsA penetration test may last a few weeks, months, or longer, depending on a particular customer's needs. A penetration test is limited in time and scope, unlike a real-world attack that may take place over months or years and has no bounds. Therefore it is not possible for a single penetration test at a single point in time to find and exploit all vulnerabilities. Re-testing on frequent intervals by a pen tester who learns the environment and can repeat testing as new threats emerge and past issues are addressed may be the best approach for companies that can afford it. 2nd Sight Lab develops tools over time to efficiently test and re-test customer environments on an on-going basis upon request.
Penetration Testing QualificationsPenetration testers will typically have relevant security certifications. Although not required for a pen tester to be competent, certifications are one way to determine qualifications. A diverse array of technical knowledge and continuous learning is a critical quality for a penetration tester, since exploits, attack vectors, and tools are continually evolving. For example, a penetration tester with specific knowledge of cloud environments is beneficial when penetration testing applications hosted in the cloud. On AWS, some type of attacks commonly used by penetration testers in non-cloud scenarios are not possible, but new attack vectors using cloud infrastructure and tools exist. Sometimes attacks require custom software and an understanding of the software development life cycle, so pen testers with a software development background may be able to perform a more robust test than someone who only leverages pen testing tools. For financial applications, specific knowledge of financial systems may be helpful, such as reconciliation processes, integrations, e-commerce, and batch processing.
Penetration Test ProcessPen Testing Process Overview
1. Define scope and rules of engagement with customer
2. Set up and Reconnaissance
5. Report Writing and Delivery
Define scope and rules of engagement with customer
2nd Sight Lab works with customers to determine the objective, scope of work, and rules of engagement.
Set up and Reconnaissance
Perform reconnaissance as needed to obtain information about the target organization, systems, and data. Set up and configure systems to target the customer environment.
Scan target systems with various tools to find vulnerabilities.
Leverage known exploits or craft custom exploits to breach systems. Repeat as necessary to attempt to obtain access to target systems and data.
Report Writing and Delivery
Write a report for the customer with detailed findings. When possible, 2nd Sight Lab will not only report on findings, but also provide mitigation strategies.
Request a Penetration TestTo request a penetration test, connect with Teri on LinkedIn or Twitter.