Performing a penetration test is the only way to know how effective your security measures in place are at defending against an attacker.

Cybersecurity risks are increasing with unparalleled speed, frequency, and sophistication. As organizations adopt more technology to streamline operations and achieve their goals, the risk of being a victim of a cyber attack grows exponentially.

To overcome these threats, organizations must perform continuous risk management and strive to improve their cybersecurity posture. Thirty years of history have shown that cyber risk is difficult to understand, problematic to hedge, and only likely to increase, and characterized by a continually changing threat environment.

This real-world scenario simulates actions a threat actor would take to compromise your systems for malicious purposes.

Vulnerability scanning identifies known vulnerabilities, lack of security controls, and common misconfigurations within systems on a network.

Penetration testing simulates an attack to exploit weaknesses to prove the effectiveness of your network’s security.

The main difference is that vulnerability scanning is used for both defensive and offensive cybersecurity strategies while penetration testing is offensive in nature.

Many providers will sell their services as a penetration test, but attempt to pass off a vulnerability scan as one. This is also known as a "smoke test."

With PurpleSec, you get a dedicated point of contact and a certified assessor. This approach provides a more thorough assessment of your security defenses.

The different types of penetration tests include:

• Network: Tests the security of network infrastructure components like servers, workstations, printers, firewalls, and routers. Testers might use port scanning, vulnerability scanning, and attempt to exploit known vulnerabilities in network protocols or services.
• Web Application: Examines vulnerabilities in web-based applications and their components. This could involve attempting SQL injection, cross-site scripting (XSS), or testing for insecure direct object references.
• Client-Side: Focuses on identifying weaknesses in client-side applications like email clients, web browsers, and office suites. Testers might craft malicious files or web pages to exploit vulnerabilities in these applications.
• Wireless: Assesses the security of wireless networks and connected devices. Testing could include attempting to crack WiFi passwords, setting up rogue access points, or intercepting wireless traffic.
• Social Engineering: Simulates attempts to manipulate or trick users into revealing sensitive information. This might involve sending phishing emails, making vishing (voice phishing) calls, or attempting to gain physical access through impersonation.
• Physical: Tests the effectiveness of physical security measures to protect infrastructure, buildings, and systems. Testers might attempt to bypass locks, tailgate employees, or access restricted areas without proper authorization.
• Firewall: Specifically examines firewall configurations and attempts to bypass them. This could involve probing for misconfigured rules, attempting to exploit known vulnerabilities in firewall software, or finding ways to tunnel traffic through allowed ports.

There are several approaches to penetration testing, each with its own advantages and use cases. The choice between white box, black box, or gray box testing depends on your organization's specific security needs and goals.

White Box Penetration Testing

White box penetration testing, also known as clear box or transparent box testing, provides the tester with full access and complete knowledge of the target system. This includes source code, credentials, documentation, and multiple account roles.

White box testing is ideal when you want to:

• Evaluate your application security in-depth.
• Test from a developer's perspective.
• Uncover vulnerabilities in the logic flow of an application.
• Assess critical systems like banking applications.
• Perform thorough testing at an early stage of development.

Black Box Penetration Testing

Black box penetration testing simulates a real-world attack scenario where the tester has no prior knowledge of the system. The assessor is given only the target URL and mimics the behavior of an external attacker.

Black box testing is suitable when you want to:

• Evaluate your security posture from an outsider's perspective.
• Test your application, infrastructure, or network in a scenario closest to a real-life attack.
• Assess smaller scopes or specific components.
• Conduct a cost-effective security assessment.

Gray Box Penetration Testing

Gray box penetration testing falls between white box and black box approaches. The tester has partial knowledge of the system, such as basic architectural information or limited access credentials.

Gray box testing is appropriate when you want to:

• Balance the depth of white box testing with the real-world simulation of black box testing.
• Evaluate internal and external vulnerabilities.
• Test complex systems where some knowledge is beneficial but full disclosure isn't necessary.
• Optimize testing time and resources.

In order to maximize the ROI of your penetration test, PurpleSec recommends a white box, or assumed breach, approach. This means we assume the attacker has already accessed your network or application.

The purpose of an assumed breach scenario is to test your security measures in place to prevent an attacker from moving laterally across your network or applications to steal sensitive data or deploy malware. This approach allows for a more thorough assessment of your internal security controls and provides actionable insights to improve your overall security posture.

This method aligns with the growing sophistication of cyber threats and helps ensure that your organization is prepared to defend against both external and internal attacks.

You should perform a penetration test on your network and web applications at least annually. Social engineering testing should also be conducted at least annually.

PurpleSec strongly recommends performing a penetration test quarterly as new vulnerabilities are discovered daily along with innovative attacks and techniques.

The frequency of performing a penetration test also depends on:

• Compliance requirements.
• Acceptable risk tolerance.
• Significant infrastructure changes.
• Large updates or deployments of code.

For infrastructure changes and large code deployments, it is recommended you perform a test immediately following the project.

The average cost of a penetration test ranges from $8,000 - $20,000 for most organizations. However, depending on the scope and frequency of the test it could be as high as $100,000.

Other factors that impact the cost include the type of penetration testing being performed as well as the methodologies used.

On average a penetration test takes 4 weeks to perform. The assessment may take 4-5 days while writing the report and presenting findings may take up to 3 weeks.

Engagements can last up to 12 weeks for organizations with larger applications, 200+ endpoints, or a social engineering engagement.

Other factors that may increase the length of the engagement include:

1. The time spent to onboard.
2. Getting access for the assessor to perform the work.

No, a penetration test will not disrupt network services or web applications. At PurpleSec, we take precautions to not disrupt services unless explicitly asked for in the engagement.

For example, if we're performing a penetration test on an application then the preference is to test against a staging or dev environment over the production environment.

Likewise, for a network penetration test, we will not deploy malware to restrict access from employees or perform activities that would cause the network to go down unless contracted to do so.

When partnering with a penetration testing provider, be sure to define the rules of engagement to ensure services aren't disrupted. This is usually outlined within the Penetration Testing Authorization Form (see question below).

A Penetration Testing Authorization Form is a document between your business and a cybersecurity firm, allowing them to test your systems for vulnerabilities.

The form outlines the scope of testing, specifying which systems can be tested and which are off-limits. It defines approved testing times to minimize business disruption and includes contact information for key personnel.

By signing, you give legal authorization for the cybersecurity firm to probe your systems. While controlled, these tests may cause temporary service interruptions.

This document protects both parties by defining the test scope for your business.

Every penetration testing engagement is unique and therefore needs to be scoped. For an assessor to get started they will need background knowledge of the network or application being tested.

Beyond this, you will need to provide internal resources, or resources from your outsourced vendor, to provide access to the network or application being tested.

The background information needed may include:

Network Penetration Test:

• The primary goal of the assessment.
• Location of sensitive or critical data.
• Authorized IPs and subnets to be tested.
• Number of internal/external IPs.
• Off-limit list (hosts/subnets not to be tested).
• Approved and restricted testing windows.
• Points of contact.
• Network environment details (e.g., servers, workstations, printers, firewalls).
• Number of internal and external IPs in scope
• If you're working with an MSP or have internal IT.
• If you're already working with a security provider or have a SOC.
• Ownership status of equipment being tested.
• Desired actions upon system penetration (e.g., local vulnerability assessment, privilege escalation attempts, password attacks).
• Timeline for when the engagement should begin and when a report is needed.

Application Penetration Test:

• Domain names in scope.
• Number of web applications to be assessed.
• Number of login systems to be assessed.
• Number of dynamic pages to be assessed.
• Number of user roles in scope.
• Availability of source code.
• Additional documentation on the application.
• Whether static analysis will be performed.
• If fuzzing, role-based testing, or credentialed scans will be conducted.
• Timeline for when the engagement should begin and when a report is needed.

For a network penetration test it is recommended that you include your internal IT team and/or MSP along with at least two internal primary points of contact from your organization.

For an application penetration test, it is recommended that your internal development team or outsourced developer be involved along with at least two internal primary points of contact from your organization.

The most time spent by internal resources will be on remediating vulnerabilities identified during the engagement. Beyond that, PurpleSec only requires a few hours to collect documentation and provide access to our assessors to perform the test.

Every provider's report varies, however, there are 5 main elements you should look for in a penetration test report:

1. Executive Summary.
2. Organization Risk Rating.
3. Test Scope & Methodology.
4. Remediation Planning.
5. Security Attack Vectors.

At PurpleSec, our reporting provides both a technical and non-technical analysis of the assessment. This allows key stakeholders the ability to follow along with the impact of the assessment while providing actionable insights for IT and development teams.

Our reporting provides an attack narrative along with detailed screenshots of the test. In addition to our remediation guidance, this level of detail enables teams to quickly identify where the issue is and remediate the vulnerability.

Remediation of network vulnerabilities is typically performed by internal IT staff or by your managed services provider. For web applications, this is typically handled by internal or third-party developers of the application.

PurpleSec does not perform remediation of any vulnerabilities.

A retest is when a penetration tester reassesses the discovered vulnerabilities during the initial assessment. This step is essential for validating that remediation actions were successful. A retest is required to obtain a letter of attestation from your security vendor.

At PurpleSec, all engagements include a retest as part of the initial scope of work.