Penetration Testing
A penetration test, also known as a pen test, is an authorized simulated attack on computer systems, devices, and networks to determine if an attacker can reach a target objective defined by the customer and the pen testing company. A pen test differs from a security assessment or security scan because it includes exploitation of vulnerabilities, as opposed to only finding them.

Scope of Penetration Tests
A penetration test for compliance purposes (e.g., PCI, HIPAA) may be limited to what is required to obtain compliance. Recent breaches of compliant organizations demonstrate that compliance does not equal security. A penetration test for security purposes will be broader in scope and will test more security scenarios aligned with top threats in the industry versus only what is covered in a compliance audit. In some cases, a penetration test will be limited to testing for compliance, a specific application, or a new product. The customer defines the scope of the engagement, target systems, and what types of activities are allowed and disallowed. When any third-party systems are involved, the customer must contact the third-party and obtain permission. 2nd Sight Lab can help, but is not responsible for identifying these systems or obtaining this permission.
Length of Time for Penetration Tests
A penetration test may last a few weeks, months, or longer, depending on a particular customer's needs. Often an engagement will last 3-4 weeks. A penetration test is limited in time and scope, unlike a real-world attack that may take place over months or years and has no bounds. Therefore it is not possible for a single penetration test at a single point in time to find and exploit all vulnerabilities. Re-testing on frequent intervals by a pen tester who learns the environment and can repeat testing as new threats emerge and past issues are addressed may be the best approach for companies that can afford it. 2nd Sight Lab develops tools over time to efficiently test and re-test customer environments on an on-going basis upon request.
Penetration Testing Qualifications
Penetration testers will typically have relevant security certifications. Although not required for a pen tester to be competent, certifications are one way to determine qualifications. A diverse array of technical knowledge and continuous learning is a critical quality for a penetration tester, since exploits, attack vectors, and tools are continually evolving. For example, a penetration tester with specific knowledge of cloud environments is beneficial when penetration testing applications hosted in the cloud. On AWS, some type of attacks commonly used by penetration testers in non-cloud scenarios are not possible, but new attack vectors using cloud infrastructure and tools exist. Sometimes attacks require custom software and an understanding of the software development life cycle, so pen testers with a software development background may be able to perform a more robust test than someone who only leverages pen testing tools. For financial applications, specific knowledge of financial systems may be helpful, such as reconciliation processes, integrations, e-commerce, and batch processing.
Penetration Test Process
Pen Testing Process Overview
1. Define scope and rules of engagement with customer
2. Set up and Reconnaissance
3. Scanning
4. Exploitation
5. Report Writing and Delivery

Define scope and rules of engagement with customer
2nd Sight Lab works with customers to determine the objective, scope of work, and rules of engagement.

Set up and Reconnaissance
Perform reconnaissance as needed to obtain information about the target organization, systems, and data. Set up and configure systems to target the customer environment.

Scanning
Scan target systems with various tools to find vulnerabilities.

Exploitation
Leverage known exploits or craft custom exploits to breach systems. Repeat as necessary to attempt to obtain access to target systems and data.

Report Writing and Delivery
Write a report for the customer with detailed findings. When possible, 2nd Sight Lab will not only report on findings, but also provide mitigation strategies.
Request a Penetration Test
To request a penetration test, please use one of the means of contact listed below or meet Teri Radichel at an upcoming security event.
Cloud Security Classes
SEC545: Cloud Security Architecture and Operations
Washington, DC
Jul 30, 2018 - Aug 3, 2018
Sold Out
Join Waiting List

SEC545: Cloud Security Architecture and Operations
Clarksburg, WV
Aug 13, 2018 - Aug 17, 2018
Sold Out

SEC545: Cloud Security Architecture and Operations
Washington, DC
Aug 20, 2018 - Aug 24, 2018
Sold Out
Join Waiting List

SEC545: Cloud Security Architecture and Operations
Sacramento
Oct 1, 2018 - Oct 5, 2018
Register Now

SEC545: Cloud Security Architecture and Operations
Atlanta
Oct 22, 2018 - Oct 26, 2018
Register Now

If you are interested in sponsoring a class at your location please call 206.909.8374 or connect on LinkedIn or @teriradichel.

Teri Radichel, CEO
Security Certifications
SANS Security Instructor
IANS Faculty
Infragard
Difference Maker
AWS Hero
Public Speaker
@teriradichel
LinkedIn Profile

Seattle AWS Meetup
2nd Sight Lab is a sponsor of the Seattle AWS Architects and Engineers Meetup. Join us.

206.909.8374 . @teriradichel . LinkedIn . Work . Certifications
© 2018 2nd Sight Lab, LLC | Seattle, Washington